
Summary
The "Unusual Linux Network Activity" detection rule is designed to identify Linux processes that typically do not engage in network communications but exhibit unexpected network behavior. This can signal various malicious activities, such as command-and-control interactions, lateral movement within a network, persistence strategies for malware, or data exfiltration efforts. By focusing on processes that initiate network activity atypically, the rule leverages machine learning to detect anomalies likely resulting from exploitation or injection incidents that allow adversaries remote access or control over affected systems. The detection relies on data sourced from Elastic Defend and Auditd Manager integrations, which need to be properly set up for the rule to function effectively. Following detection, several avenues for investigation are provided to evaluate the network activity's legitimacy, including assessing IP addresses, examining execution histories, user activities, and process details.
Categories
- Linux
- Endpoint
- Cloud
- On-Premise
- Infrastructure
Data Sources
- Process
- Network Traffic
- Kernel
- User Account
Created: 2020-03-25