
Summary
This rule, titled 'Unusual Windows Network Activity', is designed to detect abnormal network activity from Windows processes that typically do not engage in network operations. The detection leverages a machine learning model integrated with Elastic's security framework, focusing on identifying potential command-and-control scenarios, lateral movements, persistence methods, or data exfiltration attempts. By analyzing network activity behavior in comparison to established baselines, unusual actions taken by processes can be flagged. This indicates a possible exploitation or injection, showcasing how a malicious actor may gain unauthorized access or control over the system. False positives may arise from newly installed or infrequent network-using applications; hence, a thorough investigation into the context of the alerts is crucial, examining aspects like IP addresses, user contexts, execution history, and parent processes.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Network Traffic
- Service
Created: 2020-03-25