Can Security Analytics signatures can be leveraged for domain-fronting attacks.

If Security Analytics can detect and alert on TLS SNI mismatch with the HTTPS host header or the presence of ESNI (Encrypted SNI) in the HTTPS header, then our security analyst team could be alerted.

Please refer to this link for more information on the domain fronting technique:  https://attack.mitre.org/techniques/T1090/004/

Security Analytics cannot currently detect domain fronting.  The main reason is that you need access to the TLS hello client packet, which is only present if the traffic being captured is encrypted.  You also need access to the HTTP header packets, which are only available in unencrypted traffic.  Even if Security Analytics could capture both encrypted and decrypted packets of the same traffic, there is no way to compare or correlate the two in the current implementation of the software.