Suricata and Elastic Defend Network Correlation

 1[metadata]
 2creation_date = "2025/12/10"
 3integration = ["endpoint", "suricata"]
 4maturity = "production"
 5updated_date = "2025/12/10"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This detection correlates Suricata alerts with Elastic Defend network events to identify the source process performing
11the network activity.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.network-*", "filebeat-*", "logs-suricata.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suricata and Elastic Defend Network Correlation"
18references = [
19    "https://attack.mitre.org/tactics/TA0011/",
20    "https://www.elastic.co/docs/reference/integrations/suricata",
21    "https://www.elastic.co/docs/reference/integrations/endpoint"
22]
23risk_score = 47
24rule_id = "9edd000e-cbd1-4d6a-be72-2197b5625a05"
25severity = "medium"
26tags = [
27    "Domain: Endpoint",
28    "Domain: Network",
29    "OS: Linux",
30    "OS: Windows",
31    "OS: macOS",
32    "Use Case: Threat Detection",
33    "Tactic: Command and Control",
34    "Data Source: Elastic Defend",
35    "Data Source: Suricata",
36    "Resources: Investigation Guide",
37]
38type = "eql"
39query = '''
40sequence by source.port, source.ip, destination.ip with maxspan=1m
41 [network where event.dataset == "suricata.eve" and event.kind == "alert" and event.severity != 3 and source.ip != null and destination.ip != null]
42 [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
43'''
44note = """## Triage and analysis
45
46### Investigating Suricata and Elastic Defend Network Correlation
47
48### Possible investigation steps
49
50- Investigate in the Timeline feature the two events matching this correlation (Suricata and Elastic Defend).
51- Review the process details like command_line, privileges, global relevance and reputation.
52- Assess the destination.ip reputation and global relevance.
53- Review the parent process execution details like command_line, global relevance and reputation.
54- Examine all network connection details performed by the process during last 48h.
55- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
56
57### False positive analysis
58
59- Trusted system or third party processes performing network activity that looks like beaconing.
60
61### Response and remediation
62
63- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
64- Terminate the suspicious processes and all associated children and parents.
65- Implement network-level controls to block traffic to the destination.ip.
66- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
67- Reset credentials for any accounts associated with the source machine.
68- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
69"""
70
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73
74[rule.threat.tactic]
75id = "TA0011"
76name = "Command and Control"
77reference = "https://attack.mitre.org/tactics/TA0011/"