Get Started

          Encrypted Traffic Collection

          Encrypted Traffic Collection

          The Encrypted Traffic Collection offers dozens of unique insights into SSL, SSH, and RDP connections along with top encrypted insights from the Zeek® community like JA3 — all without decryption.

          Encrypted Traffic Collection

          Insights

          Custom encryption detection

          Detect connections that are already encrypted without an observed handshake, which can indicate custom or pre-negotiated encryption

          DNS over HTTPs (DoH) detection

          Reveal when DNS queries are made to known DNS over HTTPS (DoH) providers to provide insight into DNS traffic that would otherwise be hidden

          Expected encryption detection

          Identify unencrypted connections running on ports where encryption is expected

          RDP authentication inferences

          Generate inferences about the method of authentication used by the RDP client

          RDP brute force detection

          Reveal when an RDP client makes excessive authentication attempts and also succeeds

          RDP client inferences

          Generate inferences about the type of an RDP client used

          RDP excessive channel join detections

          Reveal when an RDP client exceeds a set threshold for the number of channel joins

          SSH agent forwarding detection

          See when SSH agent forwarding occurs between clients and servers, which may indicate lateral movement where adversaries have compromised SSH credentials

          SSH authentication bypass detection

          Reveal when a client and server switch to a non-SSH protocol

          SSH client bruteforce detection

          Reveal when an SSH client makes excessive authentication attempts

          SSH client file activity detection

          Reveal when a client transfers a file to a server or vice versa

          SSH client keystroke detection

          Reveal an interactive session where a client sends user-driven keystrokes to the server

          SSH fingerprinting (HASSH)

          Create a hash of every SSH client and server negotiation for use in threat hunting or intel feed matching

          SSH MFA detection

          See when SSH connections use multifactor authentication (MFA), which can help analysts rule other explanations for observed timing discrepancies in SSH connections, and help teams monitor external SSH servers for MFA compliance

          Non-interactive SSH detection

          Reveal when SSH connections do not request an interactive terminal, but instead use SSH as a port forwarding tunnel, which may indicate malicious SSH tunneling

          SSH reverse tunnel detection

          Reveal when a client connects to an SSH server and sends the server an interactive terminal, establishing a reverse SSH tunnel that may indicate malicious SSH tunnelling

          SSH scan detection

          Infer scanning activity based on how often a single service is scanned

          SSL certificate monitoring

          Track expired and soon-to-expire certs, newly issued certs, self-signed certs, invalid certs, change-validation errors, old versions, weak ciphers, weak key-lengths, and bad versions (e.g., TLS 1.0)

          SSL fingerprinting (JA3)

          Create a hash of every SSL/TLS client and server negotiation for use in threat hunting or intel feed matching

          Watch a demo:

          Watch an on-demand webinar: