Tag
This rule identifies successful outbound TLS sessions initiated by internal hosts to external destinations that utilize deprecated protocol versions (SSLv3, TLS 1.0, TLS 1.1) or weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Such negotiations can indicate an Adversary-in-the-Middle attack or communication with legacy malware, allowing for traffic interception or decryption. Detection engineers should investigate the `source.ip`, `destination.ip`, `tls.version`, and `tls.cipher` to determine if the destination is a legitimate legacy system or a potential compromise, checking for concurrent alerts on the source host.