Network Traffic to Rare Destination Country

calendar Aug 22, 2023 · Use Case: Threat Detection Rule Type: ML Rule Type: Machine Learning  ·
Share on: linkedin copy

A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/04/05"
 3integration = ["endpoint", "network_traffic"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/07/27"
 8
 9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13A machine learning job detected a rare destination country name in the network logs.
14This can be due to initial access, persistence, command-and-control, or exfiltration activity.
15For example, when a user clicks on a link in a phishing email or opens a malicious document,
16a request may be sent to download and run a payload from a server in a country which does not
17normally appear in network traffic or business work-flows. Malware instances and persistence
18mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin,
19which may be an unusual destination country for the source network.
20"""
21false_positives = [
22    """
23    Business workflows that occur very occasionally, and involve a business relationship with an
24    organization in a country that does not routinely appear in network events, can trigger this alert.
25    A new business workflow with an organization in a country with which no workflows previously
26    existed may trigger this alert - although the model will learn that the new destination country
27    is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many
28    countries for brief periods may trigger this alert.
29    """,
30]
31from = "now-30m"
32interval = "15m"
33license = "Elastic License v2"
34machine_learning_job_id = "rare_destination_country"
35name = "Network Traffic to Rare Destination Country"
36references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
37risk_score = 21
38rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d"
39severity = "low"
40tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ]
41type = "machine_learning"

References

Related rules

to-top