Last 24 hours · Apr 19, 2026 05:31 – Apr 20, 2026 05:31 UTC Demonstration Mode (synthetic data) Generated: 2026-04-20 05:31:53 UTC

Overview

Total Traffic (GB)
847.30
Outbound (GB)
312.80
Inbound (GB)
534.50
Total Flows
2,847,392
Events/Hour
347,218
AI Security Assessment anthropic / claude-haiku-4-5-20251001

Security Posture

Elevated — The network shows active threat indicators requiring investigation. Rockfish observed 4,821 behavioral detections across 847 assets in the last 24 hours, with 23 elevated to pre-intrusion alerts. The SIGMA engine's 81.9% suppression rate indicates a well-tuned baseline, but the 8 elevated alerts in the datacenter segment and 3 in the DMZ warrant immediate attention. Total IDS alert volume (12,847) is within normal range for the 1,284 monitored hosts, with 847.3 GB of traffic processed.

Key Findings

  • SIGMA Pre-Intrusion: 10.0.12.45 (datacenter) triggered 3 C2 alerts with surprisal up to 8.73 bits — the highest anomaly score observed this period. Viterbi path shows Normal→Probing→Compromised→C2Active progression.
  • Lateral Movement: 10.0.3.118 (corporate) shows lateral spread pattern with 7.21-bit surprisal across 64 detection windows. Cross-segment traffic increasing.
  • Data Exfiltration: 10.0.12.201 (datacenter) flagged for exfiltration behavior with 6.84-bit surprisal. 52 detection windows with sustained anomaly scores above 0.68.
  • IDS Alerts: 47 critical-severity alerts across 12 source hosts — 1,247 trojan-class signatures firing, consistent with the SIGMA C2 detections.
  • DNS: DGA candidate domains detected alongside DNS tunneling indicators — potential malware communication channels.
  • TLS: 97.2% TLS 1.2+ compliance. Remaining 2.8% legacy TLS from IoT segment.

Threat Indicators

  • 10.0.12.45 — Persistent C2 beaconing, 3 pre-intrusion alerts in 24h, Occam predictor confidence 84.7%. Highest priority for containment.
  • 10.0.3.118 — Active lateral movement across corporate segment, 5 elevated detections. May be pivoting from initial compromise on 10.0.12.45.
  • 10.0.12.201 — Exfiltration pattern with 4 pre-intrusion alerts. Data leaving datacenter to external destinations at elevated rates.
  • 172.16.0.89 — DMZ host conducting reconnaissance, 2 elevated alerts. Potential perimeter breach or compromised web server.
  • 192.168.1.44 — IoT device with C2 indicators, 1 elevated alert. Likely botnet enrollment — isolate and reimage.

Recommendations

1. Contain 10.0.12.45 immediately — 3 C2 alerts with 8.73-bit surprisal and progressive attack path indicate active compromise. Isolate and begin forensics.

2. Investigate lateral movement from 10.0.3.118 — 5 elevated detections suggest attacker pivoting through corporate segment. Check for credential reuse.

3. Block exfiltration from 10.0.12.201 — monitor outbound data flows from this datacenter host; apply egress filtering pending investigation.

4. Quarantine IoT device 192.168.1.44 — C2 indicators on IoT are high-confidence; segment or remove from network.

5. Remediate legacy TLS endpoints — 2.8% of sessions still on TLS 1.0/1.1, concentrated in IoT segment. Upgrade firmware or isolate behind TLS-terminating proxy.

Global Connections

Global Connection Map
Event Type Total Unique Sources Unique Destinations
flow 2,847,392 1,284 18,472
dns 1,523,847 892 142
tls 948,271 743 12,384
alert 12,847 234 1,892
http 384,291 521 8,743

Hourly Traffic Volume

Alert Timeline

Alert Severity Breakdown

Top 10 Talkers

Source IP Flows Total GB Out GB In GB Unique Dests
10.1.8.50 284,392 82.40 31.20 51.20 4,827
10.1.8.13 198,472 64.70 28.90 35.80 3,284
10.169.112.51 172,384 52.30 19.40 32.90 2,847
10.1.12.100 148,291 41.80 15.70 26.10 2,192
10.169.111.12 124,837 38.20 14.30 23.90 1,847
10.1.8.22 98,472 29.40 11.20 18.20 1,523
10.6.19.21 84,291 24.80 9.70 15.10 1,284
10.1.8.35 72,384 21.30 8.40 12.90 1,092
10.169.112.15 64,827 18.70 7.10 11.60 943
10.1.12.88 52,948 15.20 5.80 9.40 847

Top External Destinations

Destination Country Organization Clients Sent MB Recv MB
13.107.42.14 US Microsoft 312 2,847.3 8,472.1
142.250.80.46 US Google 284 1,923.4 6,284.7
104.18.32.68 US Cloudflare 247 1,284.8 4,827.3
52.96.166.130 US Amazon AWS 198 984.2 3,284.1
151.101.1.140 US Fastly 176 847.3 2,847.6
185.199.108.153 NL GitHub 142 623.4 1,847.2
172.217.14.99 US Google 118 492.8 1,284.3
23.235.46.133 US Verizon Digital 98 384.2 984.7
198.41.128.100 DE Cloudflare 84 287.3 847.2
93.184.216.34 EU Edgecast 72 234.1 623.4

Port Sonar — Destination Port × Subnet

Port Activity Across Subnets

10.6.19.0/24 → :22 | 2400 flows | 4 host(s)10.2.5.0/24 → :25 | 1400 flows | 2 host(s)172.16.4.0/24 → :443 | 8400 flows | 18 host(s)10.1.12.0/24 → :123 | 320 flows | 6 host(s)10.4.18.0/24 → :123 | 320 flows | 6 host(s)10.169.99.0/24 → :9200 | 240 flows | 1 host(s)10.6.19.0/24 → :80 | 1800 flows | 8 host(s)192.168.20.0/24 → :80 | 1800 flows | 8 host(s)10.1.8.0/24 → :139 | 1500 flows | 8 host(s)10.6.19.0/24 → :443 | 8400 flows | 18 host(s)10.169.99.0/24 → :389 | 180 flows | 1 host(s)10.169.99.0/24 → :6379 | 200 flows | 1 host(s)192.168.10.0/24 → :80 | 1800 flows | 8 host(s)10.169.99.0/24 → :3389 | 420 flows | 1 host(s)10.169.99.0/24 → :25 | 160 flows | 1 host(s)10.1.8.0/24 → :80 | 1800 flows | 8 host(s)10.1.40.0/24 → :443 | 8400 flows | 18 host(s)10.169.112.0/24 → :53 | 4200 flows | 12 host(s)10.169.99.0/24 → :443 | 8400 flows | 18 host(s)10.6.19.0/24 → :123 | 320 flows | 6 host(s)10.2.5.0/24 → :123 | 320 flows | 6 host(s)10.1.40.0/24 → :53 | 4200 flows | 12 host(s)10.169.111.0/24 → :53 | 4200 flows | 12 host(s)10.169.99.0/24 → :1433 | 280 flows | 1 host(s)192.168.10.0/24 → :53 | 4200 flows | 12 host(s)192.168.10.0/24 → :123 | 320 flows | 6 host(s)10.1.8.0/24 → :3389 | 4200 flows | 11 host(s)192.168.10.0/24 → :443 | 8400 flows | 18 host(s)10.1.8.0/24 → :123 | 320 flows | 6 host(s)10.169.111.0/24 → :123 | 320 flows | 6 host(s)192.168.20.0/24 → :123 | 320 flows | 6 host(s)10.1.40.0/24 → :9200 | 2600 flows | 3 host(s)10.169.99.0/24 → :123 | 320 flows | 6 host(s)10.1.8.0/24 → :135 | 1800 flows | 9 host(s)10.1.8.0/24 → :53 | 4200 flows | 12 host(s)10.169.112.0/24 → :443 | 8400 flows | 18 host(s)10.169.99.0/24 → :5432 | 220 flows | 1 host(s)172.16.4.0/24 → :3389 | 5800 flows | 2 host(s)10.169.111.0/24 → :80 | 1800 flows | 8 host(s)10.169.112.0/24 → :80 | 1800 flows | 8 host(s)10.2.5.0/24 → :80 | 1800 flows | 8 host(s)10.2.5.0/24 → :443 | 8400 flows | 18 host(s)10.2.5.0/24 → :53 | 4200 flows | 12 host(s)10.4.18.0/24 → :443 | 8400 flows | 18 host(s)10.1.12.0/24 → :53 | 4200 flows | 12 host(s)10.169.99.0/24 → :22 | 240 flows | 1 host(s)10.1.40.0/24 → :6379 | 1800 flows | 4 host(s)172.16.4.0/24 → :80 | 1800 flows | 8 host(s)10.169.111.0/24 → :443 | 8400 flows | 18 host(s)10.1.12.0/24 → :636 | 1200 flows | 4 host(s)192.168.20.0/24 → :443 | 8400 flows | 18 host(s)192.168.20.0/24 → :53 | 4200 flows | 12 host(s)10.1.8.0/24 → :443 | 8400 flows | 18 host(s)10.2.5.0/24 → :465 | 900 flows | 2 host(s)10.1.12.0/24 → :443 | 8400 flows | 18 host(s)10.169.99.0/24 → :53 | 4200 flows | 12 host(s)172.16.4.0/24 → :53 | 4200 flows | 12 host(s)10.2.5.0/24 → :587 | 1200 flows | 2 host(s)10.169.99.0/24 → :80 | 1800 flows | 8 host(s)10.4.18.0/24 → :80 | 1800 flows | 8 host(s)10.1.8.0/24 → :445 | 6800 flows | 14 host(s)10.169.111.0/24 → :1433 | 3200 flows | 6 host(s)10.1.12.0/24 → :389 | 1800 flows | 4 host(s)10.1.12.0/24 → :80 | 1800 flows | 8 host(s)172.16.4.0/24 → :123 | 320 flows | 6 host(s)10.169.99.0/24 → :445 | 340 flows | 1 host(s)10.1.40.0/24 → :80 | 1800 flows | 8 host(s)10.169.112.0/24 → :1433 | 2800 flows | 5 host(s)10.4.18.0/24 → :53 | 4200 flows | 12 host(s)10.1.40.0/24 → :123 | 320 flows | 6 host(s)10.1.40.0/24 → :5432 | 2200 flows | 4 host(s)10.6.19.0/24 → :53 | 4200 flows | 12 host(s)10.169.112.0/24 → :123 | 320 flows | 6 host(s)22 ssh25 smtp53 dns80 http123135 rpc139 netbios389 ldap443 https445 smb465 smtps587 submission636 ldaps1433 mssql3389 rdp5432 pgsql6379 redis9200 elastic10.1.8.0/2410.1.40.0/24172.16.4.0/2410.169.99.0/2410.2.5.0/2410.169.111.0/2410.1.12.0/2410.169.112.0/2410.6.19.0/2410.4.18.0/24192.168.10.0/24192.168.20.0/24PortSource /24

Vertical streaks → scans · horizontal streaks → service-targeting · isolated bright cells → focused activity. Hover any cell for detail.

Application Protocols