Suricata and Elastic Defend Network Correlation

 1[metadata]
 2creation_date = "2025/12/10"
 3integration = ["endpoint", "suricata"]
 4maturity = "production"
 5updated_date = "2026/01/20"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This detection correlates Suricata alerts with Elastic Defend network events to identify the source process performing
11the network activity.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.network-*", "filebeat-*", "logs-suricata.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suricata and Elastic Defend Network Correlation"
18references = [
19    "https://attack.mitre.org/tactics/TA0011/",
20    "https://www.elastic.co/docs/reference/integrations/suricata",
21    "https://www.elastic.co/docs/reference/integrations/endpoint"
22]
23risk_score = 47
24rule_id = "9edd000e-cbd1-4d6a-be72-2197b5625a05"
25severity = "medium"
26tags = [
27    "Domain: Endpoint",
28    "Domain: Network",
29    "OS: Linux",
30    "OS: Windows",
31    "OS: macOS",
32    "Use Case: Threat Detection",
33    "Tactic: Command and Control",
34    "Data Source: Elastic Defend",
35    "Data Source: Suricata",
36    "Resources: Investigation Guide",
37]
38type = "eql"
39query = '''
40sequence by source.port, source.ip, destination.ip with maxspan=5s
41 [network where event.dataset == "suricata.eve" and event.kind == "alert" and
42  event.severity != 3 and source.ip != null and destination.ip != null and
43  not source.domain : ("*nessusscan*", "SCCMPS*") and
44  not rule.name in ("ET INFO SMB2 NT Create AndX Request For a Powershell .ps1 File", "ET SCAN MS Terminal Server Traffic on Non-standard Port")]
45 [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted") and
46  not process.executable in ("System", "C:\\Program Files (x86)\\Admin Arsenal\\PDQ Inventory\\PDQInventoryService.exe") and 
47  not process.executable : "C:\\Windows\\AdminArsenal\\PDQInventory-Scanner\\service-*\\exec\\PDQInventoryScanner.exe"]
48'''
49note = """## Triage and analysis
50
51### Investigating Suricata and Elastic Defend Network Correlation
52
53### Possible investigation steps
54
55- Investigate in the Timeline feature the two events matching this correlation (Suricata and Elastic Defend).
56- Review the process details like command_line, privileges, global relevance and reputation.
57- Assess the destination.ip reputation and global relevance.
58- Review the parent process execution details like command_line, global relevance and reputation.
59- Examine all network connection details performed by the process during last 48h.
60- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
61
62### False positive analysis
63
64- Trusted system or third party processes performing network activity that looks like beaconing.
65
66### Response and remediation
67
68- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
69- Terminate the suspicious processes and all associated children and parents.
70- Implement network-level controls to block traffic to the destination.ip.
71- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
72- Reset credentials for any accounts associated with the source machine.
73- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
74"""
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78
79[rule.threat.tactic]
80id = "TA0011"
81name = "Command and Control"
82reference = "https://attack.mitre.org/tactics/TA0011/"