APT Rules

The APT (Advanced Persistent Threat) Rules functionality in NETALERT enables administrators to customize detection parameters for sophisticated, long-term threats. By modifying APT rules, the solution can better identify stealthy intrusions and targeted attacks that evolve over extended periods. These rules often incorporate multiple indicators—such as anomalous behaviors, suspicious connections, and advanced malware signatures—to provide an in-depth defense strategy.

To access the APT Rules interface, navigate to Administration > APT Rules in the Web Interface:

Alt Image

The APT Rules interface offers the following actions:

Add APT Rule – Creates a new rule entry where detection parameters, thresholds, and tests can be defined.
Edit - Modifies the parameters, thresholds, or tests of an existing APT rule
Active/Deactivate – Activates or deactivates an APT rule, enabling or disabling its functionality in the detection system.
Delete – Removes an existing APT rule from the system, permanently eliminating its configuration and associated tests.
Import CSV – Uploads a file containing predefined APT rules
Export CSV – Saves current APT rules to a CSV file
The APT Settings section defines thresholds, Machine Learning (ML) scores, severity levels, and impact ratings for specific advanced threat scenarios:

Alt Image

How to create APT Rules

To define a new APT Rule, press the Add APT Rule button in the APT Rules interface. The following fields must be specified:

Name – A unique identifier for the APT Rule.
Threshold – The value at which an alert is triggered if the rule’s conditions are met or exceeded.
ML Score - A Machine Learning-based score that assesses the likelihood of a detected activity being malicious. Higher values indicate greater suspicion.
Severity - Represents the criticality of the detected activity, helping prioritize alerts based on their potential threat level.
Impact - Categorizes the potential consequences of a detected threat using predefined levels (LOW, MEDIUM, HIGH, CRITICAL). A higher impact level indicates a greater risk to systems, data, or operations.
Add test: Select one or more tests from the dropdown list. After adding these tests, each can be configured individually to adjust detection parameters.

Alt Image

Below is a table summarizing each Test option available in the APT Rules interface, along with a brief description of its purpose. These tests can be combined and configured to detect a variety of potential threats or anomalies in network traffic:

Test Name	Description
Custom	Allows administrators to define user-specific conditions or thresholds not covered by the predefined tests
Non Standard	Detects traffic occurring on ports or protocols that deviate from typical standards (e.g., HTTPS on port 8080)
Internal Transfer	Identifies file transfers or data exchanges within the internal network, potentially highlighting lateral movement
External Transfer	Flags file transfers or data exchanges from internal to external hosts, useful for detecting potential exfiltration
Certificate Error	Monitors SSL/TLS connections for invalid or mismatched certificates, indicating possible misconfiguration or malicious interception
Brute Force	Detects repeated login attempts from the same source, indicating a potential brute-force attack
TOR	Identifies traffic to or from known TOR exit nodes, suggesting anonymized or potentially malicious communication
Internal To External Communication	Flags communications originating from inside the network and directed toward external hosts, highlighting unusual outbound connections
ProxyTraffic	Detects traffic routed through proxy servers, useful for identifying hidden or redirected connections
DNS Request Error Server Failure	Alerts on DNS queries resulting in server failures, indicating possible misconfiguration or suspicious DNS activity
Dynamic DNS Request	Monitors DNS queries to dynamic DNS services, which can be used by attackers to mask malicious infrastructure
Kerberos	Tracks unusual Kerberos-related traffic, potentially revealing authentication anomalies or lateral movement attempts
SMTP	Observes SMTP-based communications for suspicious behavior, including as spam or unauthorized email usage
Connections On Known Protocols In Non Standard Ports	Detects protocols (e.g., HTTP, FTP) running on unexpected ports, possibly indicating evasion of standard security controls
Alert Address Scan By IP	Identifies scanning attempts targeting multiple IP addresses, often a sign of reconnaissance or vulnerability probing
Alert Port Scan By IP	Detects port scanning behavior from a specific IP, signaling an attempt to find open services on a target
Alert Heart Bleed	Monitors for Heartbleed vulnerability indicators in SSL/TLS traffic, helping to prevent data leaks
Alert IOC IP	Flags communication with IP addresses listed as Indicators of Compromise, suggesting malicious or high-risk connections
Alert DNS Timeout	Alerts on DNS requests that time out, which may indicate misconfigurations or deliberate attempts to evade detection
Alert Anomalous Connections	Identifies connections exhibiting unusual patterns, volumes, or frequencies, hinting at potential intrusions
Alert Invalid SSL	Detects SSL certificates that fail validation checks, often pointing to compromised certificates or MITM attacks
Alert Brute Force	Recognizes repeated login failures or authentication attempts from the same source IP, highlighting brute-force activity
Alert Communication Over Non Standard Port	Spots network traffic using ports not typically associated with the given protocol, potentially bypassing standard security measures
Alert IOC Domains	Flags domain names identified as malicious or suspicious in threat intelligence feeds, indicating possible compromise

Examples of APT Rules

Example 1 - APT_Malware

In this example, three separate tests contribute to an APT alert, each holding an equal weight of 50%:

Test Alert IOC IP – This test is validated if at least one Alert IOC IP type alert is detected within a one-week period.
Test Port Scan By IP – This test is validated if at least one Alert Port Scan By IP type alert occurs within the same timeframe.
Test Custom – This test is validated if at least one Custom type alert is detected within a week. The Custom event is confirmed when the number of events exceeds the Test Threshold (set to 1) based on the Custom Query (AlertName:"Network Vulnerability Scan"), which queries alerts of type Alert.

Alt Image

Once all three tests are validated, a weighted arithmetic mean is calculated using the values specified in the Weight field of each test. The final result (weighted_arithmetic_mean) is then compared to the defined Threshold.

If the threshold exceeds 70%, an APT alert is triggered.

Alt Image

Example 2 - Data Exfiltration via Unusual External Transfer

In this example, three separate tests contribute to an APT alert:

Test Internal Transfer - Monitors large internal data transfers
Test External Transfer - Flags unusual outbound data flows
Test Internal To External Communication - Detects unusual outbound connections that could indicate data exfiltration

A potential data breach is detected when large amounts of data are transferred internally (Internal Transfer) before being sent outside the network (External Transfer). If unusual outbound connections are detected (Internal To External Communication), it could indicate an attempt to exfiltrate sensitive information.

Alt Image

Once all three tests are validated, a weighted arithmetic mean is calculated using the values specified in the Weight field of each test. The final result (weighted_arithmetic_mean) is then compared to the defined Threshold.

If the threshold exceeds 80%, an APT alert is triggered.

Example 3 - Suspicious_Network_Reconnaissance_Activity

In this example, three separate tests contribute to an APT alert:

Test Alert IOC IP - Checks for communication with known malicious IPs
Test Alert Port Scan By IP - Detects unusual port scanning behavior
Test Alert DNS Timeout - Flags repeated failed DNS queries, potentially signaling reconnaissance attempts

A threat actor is attempting to scan the network for open ports and vulnerabilities. If a system within the organization communicates with a known malicious IP (Alert IOC IP) and simultaneously performs excessive port scanning (Alert Port Scan By IP), it may indicate reconnaissance. Additionally, repeated DNS query failures (Alert DNS Timeout) suggest attempts to resolve domains that no longer exist, possibly linked to abandoned malware infrastructure.

Alt Image

Once all three tests are validated, a weighted arithmetic mean is calculated using the values specified in the Weight field of each test. The final result (weighted_arithmetic_mean) is then compared to the defined Threshold.

If the threshold exceeds 70%, an APT alert is triggered.

Example 4 - Brute_Force_Attack_on_Authentication_Services

In this example, three separate tests contribute to an APT alert:

Test Alert Brute Force - Detects repeated login attempts from the same source
Test Kerberos - Monitors authentication requests for suspicious activity
Test Alert Invalid SSL - Flags incorrect SSL/TLS certificate usage

An attacker is attempting unauthorized access by repeatedly guessing credentials (Alert Brute Force). If the authentication mechanism (Kerberos) detects a spike in failed login attempts and improper SSL/TLS certificates are used (Alert Invalid SSL), it may indicate an attacker testing login credentials or attempting to intercept encrypted traffic.

Alt Image

Once all three tests are validated, a weighted arithmetic mean is calculated using the values specified in the Weight field of each test. The final result (weighted_arithmetic_mean) is then compared to the defined Threshold.

If the threshold exceeds 75%, an APT alert is triggered.

Example 5 - Malicious_Traffic_from_TOR_Nodes

In this example, three separate tests contribute to an APT alert:

Test Historical Tor Exit Node - Detects connections originating from TOR network
Test Alert Communication Over Non Standard Port - Flags traffic on unexpected ports
Test Alert Anomalous Connections - Identifies connections that deviate from normal behavior

An attacker is using TOR exit nodes to obfuscate their identity and access internal resources. If traffic is seen coming from known TOR exit nodes, using non-standard ports to communicate with internal assets, and establishing unusual connections, this could indicate malicious activity.

Alt Image

Once all three tests are validated, a weighted arithmetic mean is calculated using the values specified in the Weight field of each test. The final result (weighted_arithmetic_mean) is then compared to the defined Threshold.

If the threshold exceeds 65%, an APT alert is triggered.

Example 6 - Phishing_Attack_with_Malicious_Domains

In this example, three separate tests contribute to an APT alert:

Test Alert IOC Domains - Flags access to known malicious domains
Test Dynamic DNS Request - Monitors domain generation algorithm-based activity
Test SMTP - Detects suspicious email behavior

An attacker is using phishing emails to trick employees into clicking on malicious links. If an email is sent from an SMTP server that exhibits unusual behavior, and the recipient's device accesses a known malicious domain (Alert IOC Domains) or a dynamically generated domain (Dynamic DNS Request), this suggests a phishing attempt leading to malware infection.

Alt Image

Once all three tests are validated, a weighted arithmetic mean is calculated using the values specified in the Weight field of each test. The final result (weighted_arithmetic_mean) is then compared to the defined Threshold.

If the threshold exceeds 70%, an APT alert is triggered.

Go back to the Administration index.