Spike in Network Traffic
A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/04/05"
3maturity = "production"
4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
5min_stack_version = "8.3.0"
6updated_date = "2023/03/06"
7
8[rule]
9anomaly_threshold = 75
10author = ["Elastic"]
11description = """
12A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic,
13if not caused by a surge in business activity, can be due to suspicious or malicious activity.
14Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually
15large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may
16also produce such a surge in traffic.
17"""
18false_positives = [
19 """
20 Business workflows that occur very occasionally, and involve an unusual surge in network traffic,
21 can trigger this alert. A new business workflow or a surge in business activity may trigger this alert.
22 A misconfigured network application or firewall may trigger this alert.
23 """,
24]
25from = "now-30m"
26interval = "15m"
27license = "Elastic License v2"
28machine_learning_job_id = "high_count_network_events"
29name = "Spike in Network Traffic"
30references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
31risk_score = 21
32rule_id = "b240bfb8-26b7-4e5e-924e-218144a3fa71"
33severity = "low"
34tags = ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", ]
35type = "machine_learning"