Inbound Connection to an Unsecure Elasticsearch Node
Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/11"
3integration = ["network_traffic"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/16"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are
13accepting inbound network connections over the default Elasticsearch port.
14"""
15false_positives = [
16 """
17 If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate
18 the source IP address of your reverse-proxy.
19 """,
20]
21from = "now-9m"
22index = ["packetbeat-*", "logs-network_traffic.*"]
23language = "lucene"
24license = "Elastic License v2"
25name = "Inbound Connection to an Unsecure Elasticsearch Node"
26note = """## Setup
27
28This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation."""
29references = [
30 "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html",
31 "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers",
32]
33risk_score = 47
34rule_id = "31295df3-277b-4c56-a1fb-84e31b4222a9"
35severity = "medium"
36tags = ["Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41(event.dataset: network_traffic.http OR (event.category: network_traffic AND network.protocol: http)) AND
42 status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:"image/x-icon" AND NOT
43 _exists_:http.request.headers.authorization
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1190"
51name = "Exploit Public-Facing Application"
52reference = "https://attack.mitre.org/techniques/T1190/"
53
54
55[rule.threat.tactic]
56id = "TA0001"
57name = "Initial Access"
58reference = "https://attack.mitre.org/tactics/TA0001/"
Setup
This rule requires the addition of port 9200
and send_all_headers
to the HTTP
protocol configuration in packetbeat.yml
. See the References section for additional configuration documentation.
References
Related rules
- Accepted Default Telnet Port Connection
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- SMB (Windows File Sharing) Activity to the Internet
- Unusual Linux Username