Suricata and Elastic Defend Network Correlation

  1[metadata]
  2creation_date = "2025/12/10"
  3integration = ["endpoint", "suricata"]
  4maturity = "production"
  5updated_date = "2026/04/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This detection correlates Suricata alerts with Elastic Defend network events to identify the source process performing
 11the network activity.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.network-*", "filebeat-*", "logs-suricata.*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suricata and Elastic Defend Network Correlation"
 18references = [
 19    "https://attack.mitre.org/tactics/TA0011/",
 20    "https://www.elastic.co/docs/reference/integrations/suricata",
 21    "https://www.elastic.co/docs/reference/integrations/endpoint"
 22]
 23risk_score = 47
 24rule_id = "9edd000e-cbd1-4d6a-be72-2197b5625a05"
 25severity = "medium"
 26tags = [
 27    "Domain: Endpoint",
 28    "Domain: Network",
 29    "OS: Linux",
 30    "OS: Windows",
 31    "OS: macOS",
 32    "Use Case: Threat Detection",
 33    "Tactic: Command and Control",
 34    "Data Source: Elastic Defend",
 35    "Data Source: Suricata",
 36    "Resources: Investigation Guide",
 37]
 38type = "eql"
 39query = '''
 40sequence by source.port, source.ip, destination.ip with maxspan=5s
 41 [network where data_stream.dataset == "suricata.eve" and event.kind == "alert" and
 42  event.severity != 3 and source.ip != null and destination.ip != null and
 43  not source.domain : ("*nessusscan*", "SCCMPS*") and
 44  not rule.name in ("ET INFO SMB2 NT Create AndX Request For a Powershell .ps1 File", "ET SCAN MS Terminal Server Traffic on Non-standard Port")]
 45 [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted") and
 46  not process.executable in ("System", "C:\\Program Files (x86)\\Admin Arsenal\\PDQ Inventory\\PDQInventoryService.exe") and 
 47  not process.executable : "C:\\Windows\\AdminArsenal\\PDQInventory-Scanner\\service-*\\exec\\PDQInventoryScanner.exe"]
 48'''
 49note = """## Triage and analysis
 50
 51### Investigating Suricata and Elastic Defend Network Correlation
 52
 53### Possible investigation steps
 54
 55- Investigate in the Timeline feature the two events matching this correlation (Suricata and Elastic Defend).
 56- Review the process details like command_line, privileges, global relevance and reputation.
 57- Assess the destination.ip reputation and global relevance.
 58- Review the parent process execution details like command_line, global relevance and reputation.
 59- Examine all network connection details performed by the process during last 48h.
 60- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
 61
 62### False positive analysis
 63
 64- Trusted system or third party processes performing network activity that looks like beaconing.
 65
 66### Response and remediation
 67
 68- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 69- Terminate the suspicious processes and all associated children and parents.
 70- Implement network-level controls to block traffic to the destination.ip.
 71- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
 72- Reset credentials for any accounts associated with the source machine.
 73- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 74"""
 75
 76[[rule.threat]]
 77framework = "MITRE ATT&CK"
 78
 79[[rule.threat.technique]]
 80id = "T1071"
 81name = "Application Layer Protocol"
 82reference = "https://attack.mitre.org/techniques/T1071/"
 83
 84[[rule.threat.technique]]
 85id = "T1571"
 86name = "Non-Standard Port"
 87reference = "https://attack.mitre.org/techniques/T1571/"
 88
 89[rule.threat.tactic]
 90id = "TA0011"
 91name = "Command and Control"
 92reference = "https://attack.mitre.org/tactics/TA0011/"
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96
 97[[rule.threat.technique]]
 98id = "T1046"
 99name = "Network Service Discovery"
100reference = "https://attack.mitre.org/techniques/T1046/"
101
102[rule.threat.tactic]
103id = "TA0007"
104name = "Discovery"
105reference = "https://attack.mitre.org/tactics/TA0007/"