Unusual Network Destination Domain Name

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["auditd_manager", "endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/07/27"
 8
 9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = """
13A machine learning job detected an unusual network destination domain name. This can be due to initial access,
14persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing
15email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server
16name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for
17command-and-control communication.
18"""
19false_positives = [
20    """
21    Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical
22    support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger
23    this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this
24    when they are used sparsely. Web domains can be excluded in cases such as these.
25    """,
26]
27from = "now-45m"
28interval = "15m"
29license = "Elastic License v2"
30machine_learning_job_id = "packetbeat_rare_server_domain"
31name = "Unusual Network Destination Domain Name"
32references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
33risk_score = 21
34rule_id = "17e68559-b274-4948-ad0b-f8415bb31126"
35severity = "low"
36tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ]
37type = "machine_learning"