🌍 Network Peer Detections
🔗 Tracking Network Connections
Network peer detection recipes monitor network connections and DNS resolutions to identify communications with malicious, suspicious, or policy-violating destinations. Detect C2 communications, malware callbacks, and data exfiltration using 2M+ domain reputation database.
🎯 What These Detections Monitor
Network peer recipes track connections and DNS queries against reputation databases containing millions of known malicious domains:
🎭 Threat Intelligence
- Command & Control servers
- Malware distribution sites
- Known phishing domains
🤖 Algorithmic Detection
- Domain Generation Algorithms
- Recently registered domains
- Dynamic DNS abuse
🔒 Cloud & Infrastructure
- Cloud metadata access
- VPN/Proxy services
- Plaintext communications
📋 Policy Violations
- Adult content sites
- Gambling websites
- Piracy domains
📂 Detection Categories
🎭 Threat Intelligence
- Threat Domain Access - Known malicious domains
- Badware Domain Access - Malware distribution sites
- Phishing Domains - Known phishing sites
🤖 Algorithmic Detection
- Algorithmic Domains - Domain Generation Algorithm (DGA) patterns
- General New Domains - Recently registered domains
🔀 Network Evasion
- VPN-like Domain Access - VPN and proxy services
- Dynamic DNS (DynDNS) - Dynamic DNS services often abused by attackers
☁️ Cloud and Infrastructure
- Cloud Metadata Access - Cloud provider metadata services
- Critical for preventing credential theft in cloud environments
🔒 Communication Security
- Plaintext Communication - Unencrypted network communications
- Helps enforce encryption policies
📋 Content Policy
- Adult Domain Access - Adult content sites
- Gambling Domain Access - Gambling websites
- Piracy Domain Access - Piracy sites
- Tracking Domain Access - Advertising and tracking domains
🎪 Fake and Fraudulent Content
- Fake Domain Access - Known fake or fraudulent websites
📊 Reputation Database & Performance
📚 Database Scale
- 2M+ malicious domains categorized by threat type
- Regular updates to stay current with emerging threats
- Multiple categories for comprehensive coverage
⚡ Performance Tuning
- Full – Loads the complete reputation database for maximum accuracy (uses the most memory)
- Medium – Uses a reduced set for balanced detection coverage and lower memory use
- Light – Loads only essential threat intelligence for minimal memory footprint
Some detection recipes are available in up to three different flavors, allowing you to control memory consumption and system load. Select the appropriate flavor for your needs to optimize performance and resource usage while maintaining strong threat coverage.
🎯 Threat Coverage
- Command & Control servers
- Malware distribution
- Phishing campaigns
- Policy violations
🛡️ MITRE ATT&CK Coverage
Command & Control
- T1071 - Application Layer Protocol
- T1568 - Dynamic Resolution (DGA)
- T1090 - Proxy (VPN/Proxy usage)
Initial Access & Reconnaissance
- T1566 - Phishing
- T1595 - Active Scanning
Credential Access
- T1552 - Unsecured Credentials (Cloud Metadata)
Impact
- T1496 - Resource Hijacking
- T1499 - Endpoint Denial of Service