
Summary
This detection rule identifies unusually large spikes in denied network traffic, which may indicate misconfigurations in applications or firewalls, or potential malicious activities such as command-and-control (C2) communications, data exfiltration attempts, reconnaissance, or denial-of-service (DoS) attacks. It leverages machine learning algorithms to monitor network traffic denied by network access control lists (ACLs) and firewalls over a specified interval (15 minutes) and raises alerts based on identified anomalies when a pre-defined anomaly threshold of 75 is surpassed. The rule operates by utilizing data from the Elastic Defend and Network Packet Capture integrations, requiring successful installation and configuration of associated machine learning jobs. Security teams must evaluate logs, investigate patterns, and discern legitimate traffic from potentially harmful activity in response to alerts generated by this rule. The setup includes procedural guidance for integrating necessary monitoring tools into the infrastructure. Administrative actions may include reviewing firewall settings, analyzing traffic sources, and implementing mitigations for potential threats or false positives.
Categories
- Network
- Endpoint
Data Sources
- Network Traffic
- Application Log
Created: 2021-04-05