AN0684: Analytic 0684
Audit VoIP/SIP logs for suspicious outbound calls or call setup messages to unusual endpoints. Correlate with user activity such as browser execution or package installation following the call.
Analyst context for executives and security teams
This analytic matters because suspicious VoIP/SIP call activity can be an early signal that communications infrastructure or a Linux-hosted VoIP component is being used in an unusual way. For leaders, the value is not the call record alone; it is whether the organization can connect call setup activity to nearby user or system behavior, such as browser execution or package installation, quickly enough to support an incident decision.
Executive priority
Prioritize this where Linux-based VoIP/SIP services support business communications, customer contact, operations, or compliance evidence. Leaders should ask whether SIP/VoIP logs are retained, searchable, and correlated with endpoint activity. The control decision is about resilience and investigation readiness: if call records and host activity cannot be joined, suspicious communications behavior may remain an isolated anomaly rather than actionable incident evidence.
Technical view
Validate collection from Linux VoIP/SIP components for outbound call attempts, call setup messages, destination endpoints, timestamps, users or service accounts where available, and source hosts. Correlate those events with host telemetry showing browser execution or package installation after the call, as stated in the analytic. Because no ATT&CK tactic or relationship context is supplied, detection engineering should treat this as a focused analytic tied to VoIP/SIP audit evidence rather than infer a broader intrusion pattern without local corroboration.
Likely telemetry
- VoIP/SIP server audit logs from Linux platforms
- Outbound call records and SIP call setup messages
- Destination endpoint, number, URI, domain, or IP metadata where logged
- User, extension, service account, host, and timestamp context where available
- Linux process execution telemetry for browser activity
Detection direction
- Baseline normal outbound VoIP/SIP destinations, call setup patterns, and expected service behavior before alerting on unusual endpoints.
- Correlate suspicious outbound calls or SIP setup messages with subsequent browser execution or package installation on the related Linux host or user context.
- Tune for legitimate administrative changes, maintenance windows, call routing changes, and expected package updates to reduce false positives.
- Confirm timestamp quality and identity mapping; weak time synchronization or missing user/service context can make the correlation unreliable.
- Do not expand the alert into unsupported tactics or attribution without additional local evidence, because no relationship context or official detection logic is supplied.
Mitigation priorities
- Ensure Linux VoIP/SIP logs are enabled, retained, and forwarded to the SIEM or managed detection platform.
- Maintain endpoint telemetry on relevant Linux systems, especially process execution and package installation events.
- Define expected VoIP/SIP destinations, routing patterns, and administrative update workflows so unusual activity can be assessed quickly.
- Review access controls and change-management practices for VoIP/SIP infrastructure to support investigation and audit readiness.
- Test incident response playbooks for communications-system anomalies, including how SOC and telecom/communications owners coordinate evidence review.
Analyst notes and limits
The supplied object is a detection analytic, AN0684, for Linux platforms. It provides a concise analytic description but no official detection implementation, no tactics, and no relationship context. The strongest use is as a validation prompt: can the SOC correlate suspicious VoIP/SIP outbound activity with nearby Linux user or package-management activity?
This take is limited to the official STIX fields, external reference, and supplied context. It does not establish active exploitation, adversary attribution, specific malware, business impact, or guaranteed detection coverage. Local VoIP architecture, logging depth, endpoint telemetry, and normal call-routing behavior are required to operationalize it.
Analytic 0684
Audit VoIP/SIP logs for suspicious outbound calls or call setup messages to unusual endpoints. Correlate with user activity such as browser execution or package installation following the call.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 865742c62f72… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0684Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.