Spike in Network Traffic

 1[metadata]
 2creation_date = "2021/04/05"
 3integration = ["endpoint", "network_traffic"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/07/27"
 8
 9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic,
14if not caused by a surge in business activity, can be due to suspicious or malicious activity.
15Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually
16large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may
17also produce such a surge in traffic.
18"""
19false_positives = [
20    """
21    Business workflows that occur very occasionally, and involve an unusual surge in network traffic,
22    can trigger this alert. A new business workflow or a surge in business activity may trigger this alert.
23    A misconfigured network application or firewall may trigger this alert.
24    """,
25]
26from = "now-30m"
27interval = "15m"
28license = "Elastic License v2"
29machine_learning_job_id = "high_count_network_events"
30name = "Spike in Network Traffic"
31references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
32risk_score = 21
33rule_id = "b240bfb8-26b7-4e5e-924e-218144a3fa71"
34severity = "low"
35tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ]
36type = "machine_learning"