Spike in Firewall Denies

 1[metadata]
 2creation_date = "2021/04/05"
 3integration = ["endpoint", "network_traffic"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/07/27"
 8
 9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13A machine learning job detected an unusually large spike in network traffic that was
14denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by
15either 1) a mis-configured application or firewall or 2) suspicious or malicious activity.
16Unsuccessful attempts at network transit, in order to connect to command-and-control (C2),
17or engage in data exfiltration, may produce a burst of failed connections. This could also
18be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service
19attacks or traffic floods may also produce such a surge in traffic.
20"""
21false_positives = [
22    """
23    A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert.
24    """,
25]
26from = "now-30m"
27interval = "15m"
28license = "Elastic License v2"
29machine_learning_job_id = "high_count_network_denies"
30name = "Spike in Firewall Denies"
31references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
32risk_score = 21
33rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa"
34severity = "low"
35tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ]
36type = "machine_learning"