Encrypted Traffic Collection

Encrypted Traffic icon

The Encrypted Traffic Collection offers dozens of unique insights into SSL, SSH, and RDP connections along with top encrypted insights from the Zeek® community like JA3 — all without decryption.

Encryted Traffic Collection

Insights

Custom encryption detection
Detect connections that are already encrypted without an observed handshake, which can indicate custom or pre-negotiated encryption
DNS over HTTPs (DoH) detection
Reveal when DNS queries are made to known DNS over HTTPS (DoH) providers to provide insight into DNS traffic that would otherwise be hidden
Expected encryption detection
Identify unencrypted connections running on ports where encryption is expected
RDP authentication inferences
Generate inferences about the method of authentication used by the RDP client
RDP brute force detection
Reveal when an RDP client makes excessive authentication attempts and also succeeds
RDP client inferences
Generate inferences about the type of an RDP client used
RDP excessive channel join detections
Reveal when an RDP client exceeds a set threshold for the number of channel joins
SSH agent forwarding detection
See when SSH agent forwarding occurs between clients and servers, which may indicate lateral movement where adversaries have compromised SSH credentials
SSH authentication bypass detection
Reveal when a client and server switch to a non-SSH protocol
SSH client bruteforce detection
Reveal when an SSH client makes excessive authentication attempts
SSH client file activity detection
Reveal when a client transfers a file to a server or vice versa
SSH client keystroke detection
Reveal an interactive session where a client sends user-driven keystrokes to the server
SSH fingerprinting (HASSH)
Create a hash of every SSH client and server negotiation for use in threat hunting or intel feed matching
SSH MFA detection
See when SSH connections use multifactor authentication (MFA), which can help analysts rule other explanations for observed timing discrepancies in SSH connections, and help teams monitor external SSH servers for MFA compliance
Non-interactive SSH detection
Reveal when SSH connections do not request an interactive terminal, but instead use SSH as a port forwarding tunnel, which may indicate malicious SSH tunneling
SSH reverse tunnel detection
Reveal when a client connects to an SSH server and sends the server an interactive terminal, establishing a reverse SSH tunnel that may indicate malicious SSH tunnelling
SSH scan detection
Infer scanning activity based on how often a single service is scanned
SSL certificate monitoring
Track expired and soon-to-expire certs, newly issued certs, self-signed certs, invalid certs, change-validation errors, old versions, weak ciphers, weak key-lengths, and bad versions (e.g., TLS 1.0)
SSL fingerprinting (JA3)
Create a hash of every SSL/TLS client and server negotiation for use in threat hunting or intel feed matching

Watch a demo:

Watch an on-demand webinar: