Last 24 hours
Generated 2026-02-17 06:31:44 UTC
Findings by Severity
| Severity | Findings | % |
|---|---|---|
| Critical | 4 | 4.7 |
| High | 18 | 21.2 |
| Medium | 42 | 49.4 |
| Low | 21 | 24.7 |
Findings by Detection Type
| Detection Type | Findings | Sources | Targets | Max Severity |
|---|---|---|---|---|
| beaconing | 12 | 8 | 6 | High |
| exfiltration | 5 | 4 | 5 | Critical |
| port_scan | 8 | 3 | 12 | High |
| dns_tunneling | 6 | 4 | 3 | High |
| lateral_movement | 3 | 3 | 5 | Critical |
| c2_fanout | 2 | 8 | 1 | Critical |
| baseline_deviation | 18 | 12 | 14 | Medium |
| new_connection | 31 | 18 | 24 | Low |
All Findings
Individual hunt detections ordered by severity. Run rockfish hunt to generate findings from flow and DNS data.
All Findings
19 rows
| Severity | Detection | Source | Destination | Description |
|---|---|---|---|---|
| Critical | exfiltration | 10.1.8.50 | 198.51.100.47 | Large outbound transfer (2.8 GB) to unknown VPS, byte ratio 4.2:1 |
| Critical | lateral_movement | 10.1.8.50 | 10.169.112.51 | 3-hop lateral chain: 10.1.8.50 -> 10.169.112.51 -> 10.1.12.100 |
| Critical | c2_fanout | 10.1.8.50 | 198.51.100.47 | 8 internal hosts connecting to single external endpoint on port 443 |
| Critical | lateral_movement | 10.169.112.51 | 10.1.12.100 | 4-hop chain detected spanning 3 subnets over 2.4 hours |
| High | beaconing | 10.1.8.50 | 198.51.100.47 | Regular 60s beacon interval, CoV=0.03, 1440 connections in 24h |
| High | beaconing | 10.169.112.51 | 203.0.113.88 | Regular 120s beacon interval, CoV=0.04, 720 connections in 24h |
| High | exfiltration | 10.1.8.13 | 52.96.166.130 | 847 MB outbound to cloud storage, byte ratio 3.1:1 |
| High | dns_tunneling | 10.1.8.50 | 1.1.1.2 | 847 queries to c2-exfil-tunnel.suspicious-domain.net, avg subdomain length 42 |
| High | port_scan | 198.51.100.88 | 10.1.8.0/24 | Sequential scan of 1284 ports, scan rate 8.4 ports/sec |
| High | dns_tunneling | 10.6.19.21 | 1.1.1.2 | 284 queries with encoded subdomains, TXT ratio 0.82 |
| Medium | beaconing | 10.1.8.13 | 198.51.100.12 | 180s beacon interval, CoV=0.048, 480 connections |
| Medium | beaconing | 10.6.19.21 | 203.0.113.201 | 300s beacon interval, CoV=0.041, 288 connections |
| Medium | port_scan | 203.0.113.142 | 10.169.112.0/24 | 847 ports scanned across 6 hosts |
| Medium | baseline_deviation | 10.1.8.50 | 13.107.42.14 | Flow count increased 340% vs baseline (847 -> 3728) |
| Medium | baseline_deviation | 10.169.112.51 | 104.18.32.68 | Bytes out increased 520% vs baseline, 3 new protocols observed |
| Medium | baseline_deviation | 10.1.12.100 | 10.1.12.200 | Database traffic volume increased 280% vs baseline |
| Low | new_connection | 172.16.4.10 | 198.51.100.99 | New connection pair not seen in baseline window |
| Low | new_connection | 172.16.4.25 | 203.0.113.44 | New connection pair to previously unseen destination |
| Low | new_connection | 10.1.12.203 | 91.189.88.142 | New outbound connection from staging server |