Decline in host-based traffic

 1[metadata]
 2creation_date = "2025/02/18"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2025/02/18"
 6
 7[rule]
 8anomaly_threshold = 75
 9author = ["Elastic"]
10description = """
11A machine learning job has detected a sudden drop in host based traffic. This can be due to a range of security issues, such as a compromised system,
12a failed service, or a network misconfiguration.
13"""
14false_positives = [
15    """
16    Legitimate causes such as system maintenance, server shutdowns, or temporary network outages may trigger this alert.
17    """,
18]
19from = "now-45m"
20interval = "5m"
21license = "Elastic License v2"
22machine_learning_job_id = "low_count_events_for_a_host_name"
23name = "Decline in host-based traffic"
24setup = """## Setup
25
26This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
27- Elastic Defend
28
29### Anomaly Detection Setup
30
31Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
32
33### Elastic Defend Integration Setup
34Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
35
36#### Prerequisite Requirements:
37- Fleet is required for Elastic Defend.
38- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
39
40#### The following steps should be executed in order to add the Elastic Defend integration to your system:
41- Go to the Kibana home page and click "Add integrations".
42- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
43- Click "Add Elastic Defend".
44- Configure the integration name and optionally add a description.
45- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
46- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
47- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
48- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
49For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
50- Click "Save and Continue".
51- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
52For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
53"""
54references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
55risk_score = 21
56rule_id = "ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18"
57severity = "low"
58tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
59type = "machine_learning"
60note = """## Triage and analysis
61
62> **Disclaimer**:
63> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
64
65### Investigating Decline in host-based traffic
66
67Host-based traffic monitoring is crucial for identifying anomalies in network activity. A sudden drop in traffic can indicate issues like system compromise, service failure, or misconfiguration. Adversaries might exploit these situations to evade detection or disrupt services. The 'Decline in host-based traffic' rule leverages machine learning to identify unexpected traffic reductions, signaling potential security threats for further investigation.
68
69### Possible investigation steps
70
71- Review the affected host's recent activity logs to identify any unusual patterns or events that coincide with the drop in traffic.
72- Check for any recent changes in network configuration or firewall settings that might have inadvertently caused the traffic decline.
73- Investigate the status of critical services on the host to determine if any have failed or been stopped unexpectedly.
74- Analyze network traffic data to identify any potential signs of compromise, such as connections to known malicious IP addresses or unusual outbound traffic.
75- Consult with system administrators to verify if any maintenance or updates were performed around the time of the traffic drop that could explain the anomaly.
76
77### False positive analysis
78
79- Scheduled maintenance or updates can cause temporary drops in host-based traffic. Users should create exceptions for known maintenance windows to prevent false alerts.
80- Network configuration changes, such as firewall rule updates or routing adjustments, might lead to expected traffic reductions. Document and exclude these changes from triggering alerts.
81- Temporary service outages due to non-security related issues, like hardware failures or software bugs, can be mistaken for threats. Implement monitoring to distinguish between these and actual security incidents.
82- Low-usage periods, such as weekends or holidays, may naturally result in reduced traffic. Adjust the machine learning model to account for these patterns by incorporating historical data.
83- Legitimate changes in user behavior, such as remote work policies or shifts in business operations, can affect traffic levels. Regularly update the model to reflect these changes and avoid false positives.
84
85### Response and remediation
86
87- Isolate the affected host from the network to prevent potential lateral movement or further compromise.
88- Verify the integrity and functionality of critical services on the affected host to identify any failures or misconfigurations.
89- Conduct a thorough malware scan on the isolated host to detect and remove any malicious software.
90- Review recent configuration changes on the host and revert any unauthorized or suspicious modifications.
91- Restore any affected services from known good backups if service failure is confirmed as the cause.
92- Monitor network traffic for any signs of unusual activity or attempts to exploit the situation further.
93- Escalate the incident to the security operations team for a deeper forensic analysis and to determine if additional hosts are affected."""