Spike in Firewall Denies
A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/04/05"
3integration = ["endpoint", "network_traffic"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/07/27"
8
9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13A machine learning job detected an unusually large spike in network traffic that was
14denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by
15either 1) a mis-configured application or firewall or 2) suspicious or malicious activity.
16Unsuccessful attempts at network transit, in order to connect to command-and-control (C2),
17or engage in data exfiltration, may produce a burst of failed connections. This could also
18be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service
19attacks or traffic floods may also produce such a surge in traffic.
20"""
21false_positives = [
22 """
23 A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert.
24 """,
25]
26from = "now-30m"
27interval = "15m"
28license = "Elastic License v2"
29machine_learning_job_id = "high_count_network_denies"
30name = "Spike in Firewall Denies"
31references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
32risk_score = 21
33rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa"
34severity = "low"
35tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ]
36type = "machine_learning"
References
Related rules
- Anomalous Linux Compiler Activity
- Anomalous Process For a Linux Population
- Anomalous Process For a Windows Population
- Anomalous Windows Process Creation
- DNS Tunneling