Spike in host-based traffic

 1[metadata]
 2creation_date = "2025/02/18"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2025/02/18"
 6
 7[rule]
 8anomaly_threshold = 75
 9author = ["Elastic"]
10description = """
11A machine learning job has detected a sudden spike in host based traffic. This can be due to a range of security issues, such as a compromised system, DDoS attacks,
12malware infections, privilege escalation, or data exfiltration.
13"""
14false_positives = [
15    """
16    System updates, scheduled backups, or misconfigured services may trigger this alert.
17    """,
18]
19from = "now-1h"
20interval = "15m"
21license = "Elastic License v2"
22machine_learning_job_id = "high_count_events_for_a_host_name"
23name = "Spike in host-based traffic"
24setup = """## Setup
25
26This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
27- Elastic Defend
28
29### Anomaly Detection Setup
30
31Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
32
33### Elastic Defend Integration Setup
34Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
35
36#### Prerequisite Requirements:
37- Fleet is required for Elastic Defend.
38- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
39
40#### The following steps should be executed in order to add the Elastic Defend integration to your system:
41- Go to the Kibana home page and click "Add integrations".
42- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
43- Click "Add Elastic Defend".
44- Configure the integration name and optionally add a description.
45- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
46- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
47- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
48- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
49For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
50- Click "Save and Continue".
51- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
52For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
53"""
54references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
55risk_score = 21
56rule_id = "fe8d6507-b543-4bbc-849f-dc0da6db29f6"
57severity = "low"
58tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
59type = "machine_learning"
60note = """## Triage and analysis
61
62> **Disclaimer**:
63> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
64
65### Investigating Spike in host-based traffic
66The detection of a spike in host-based traffic leverages machine learning to identify anomalies in network behavior, which may indicate security threats like DDoS attacks or data exfiltration. Adversaries exploit this by overwhelming systems or stealthily transferring data. The rule, with a low severity score, flags unusual traffic patterns, enabling analysts to investigate potential compromises or misconfigurations.
67
68### Possible investigation steps
69
70- Review the timestamp and source of the traffic spike to determine the exact time and origin of the anomaly.
71- Analyze the affected host's network logs to identify any unusual outbound or inbound connections that coincide with the spike.
72- Check for any recent changes or updates on the affected host that might have triggered the spike, such as software installations or configuration changes.
73- Investigate any associated user accounts for signs of unauthorized access or privilege escalation activities.
74- Correlate the spike with other security alerts or logs to identify potential patterns or related incidents.
75- Assess the host for signs of malware infection or indicators of compromise that could explain the abnormal traffic behavior.
76
77### False positive analysis
78
79- Routine software updates or patch management activities can cause temporary spikes in host-based traffic. Users should monitor scheduled update times and create exceptions for these periods to avoid false positives.
80- Backup operations often generate increased network traffic. Identifying and excluding these regular backup windows from monitoring can help reduce false alerts.
81- High-volume data transfers within the organization, such as large file uploads or downloads for legitimate business purposes, may trigger the rule. Establishing baseline traffic patterns for these activities and setting exceptions can mitigate unnecessary alerts.
82- Automated scripts or batch processes that run at specific times and generate predictable traffic spikes should be documented and excluded from anomaly detection to prevent false positives.
83- Internal network scans or vulnerability assessments conducted by IT security teams can mimic malicious traffic patterns. These should be scheduled and whitelisted to avoid triggering the rule.
84
85### Response and remediation
86
87- Isolate the affected host from the network to prevent further data exfiltration or participation in a DDoS attack.
88- Conduct a thorough scan of the isolated host for malware or unauthorized software, and remove any malicious files or applications found.
89- Review and reset credentials for any accounts that may have been compromised, ensuring that privilege escalation is mitigated.
90- Monitor network traffic for any additional anomalies or spikes that could indicate further compromise or ongoing attacks.
91- Restore the affected host from a known good backup if malware or significant unauthorized changes are detected.
92- Implement network segmentation to limit the spread of potential threats and reduce the impact of similar incidents in the future.
93- Escalate the incident to the security operations center (SOC) or relevant team for further analysis and to determine if additional resources are needed for a comprehensive response."""