Unusual Linux Network Port Activity

calendar Aug 22, 2023 · Domain: Endpoint OS: Linux Use Case: Threat Detection Rule Type: ML Rule Type: Machine Learning  ·
Share on: linkedin copy

Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["auditd_manager", "endpoint"]
 4maturity = "production"
 5updated_date = "2023/07/27"
 6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 7min_stack_version = "8.3.0"
 8
 9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = """
13Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data
14exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate
15unauthorized access or threat actor activity.
16"""
17false_positives = ["A newly installed program or one that rarely uses the network could trigger this alert."]
18from = "now-45m"
19interval = "15m"
20license = "Elastic License v2"
21machine_learning_job_id = ["v3_linux_anomalous_network_port_activity"]
22name = "Unusual Linux Network Port Activity"
23references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
24risk_score = 21
25rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0"
26severity = "low"
27tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ]
28type = "machine_learning"

References

Related rules

to-top