Key Metrics
| Event Type | Count | Sources | Destinations |
|---|---|---|---|
| flow | 2,847,392 | 1,284 | 18,472 |
| dns | 1,523,847 | 892 | 142 |
| tls | 948,271 | 743 | 12,384 |
| alert | 12,847 | 234 | 1,892 |
| http | 384,291 | 521 | 8,743 |
Insight
AI-generated security assessment using claude-haiku-4-5-20251001 — refreshed every report cycle.
Security Posture
Elevated — The network shows active threat indicators requiring investigation. Rockfish observed 4,821 behavioral detections across 847 assets in the last 24 hours, with 23 elevated to pre-intrusion alerts. The OCCAM engine's 81.9% suppression rate indicates a well-tuned baseline, but the 8 elevated alerts in the datacenter segment and 3 in the DMZ warrant immediate attention. Total IDS alert volume (12,847) is within normal range for the 1,284 monitored hosts, with 847.3 GB of traffic processed.
Key Findings
- SIGMA Pre-Intrusion: 10.0.12.45 (datacenter) triggered 3 C2 alerts with surprisal up to 8.73 bits — the highest anomaly score observed this period. Viterbi path shows Benign→Reconnaissance→Staging→LateralMovement progression.
- Lateral Movement: 10.0.3.118 (corporate) shows lateral spread pattern with 7.21-bit surprisal across 64 detection windows. Cross-segment traffic increasing.
- Data Exfiltration: 10.0.12.201 (datacenter) flagged for exfiltration behavior with 6.84-bit surprisal. 52 detection windows with sustained anomaly scores above 0.68.
- IDS Alerts: 47 critical-severity alerts across 12 source hosts — 1,247 trojan-class signatures firing, consistent with the SIGMA C2 detections.
- DNS: DGA candidate domains detected alongside DNS tunneling indicators — potential malware communication channels.
- TLS: 97.2% TLS 1.2+ compliance. Remaining 2.8% legacy TLS from IoT segment.
Threat Indicators
- 10.0.12.45 — Persistent C2 beaconing, 3 pre-intrusion alerts in 24h, Occam predictor confidence 84.7%. Highest priority for containment.
- 10.0.3.118 — Active lateral movement across corporate segment, 5 elevated detections. May be pivoting from initial compromise on 10.0.12.45.
- 10.0.12.201 — Exfiltration pattern with 4 pre-intrusion alerts. Data leaving datacenter to external destinations at elevated rates.
- 172.16.0.89 — DMZ host conducting reconnaissance, 2 elevated alerts. Potential perimeter breach or compromised web server.
- 192.168.1.44 — IoT device with C2 indicators, 1 elevated alert. Likely botnet enrollment — isolate and reimage.
Recommendations
1. Contain 10.0.12.45 immediately — 3 C2 alerts with 8.73-bit surprisal and progressive attack path indicate active compromise. Isolate and begin forensics.
2. Investigate lateral movement from 10.0.3.118 — 5 elevated detections suggest attacker pivoting through corporate segment. Check for credential reuse.
3. Block exfiltration from 10.0.12.201 — monitor outbound data flows from this datacenter host; apply egress filtering pending investigation.
4. Quarantine IoT device 192.168.1.44 — C2 indicators on IoT are high-confidence; segment or remove from network.
5. Remediate legacy TLS endpoints — 2.8% of sessions still on TLS 1.0/1.1, concentrated in IoT segment. Upgrade firmware or isolate behind TLS-terminating proxy.