Unusual Linux Web Activity
editUnusual Linux Web Activity
editA machine learning job detected an unusual web URL request from a Linux host, which can indicate malware delivery and execution. Wget and cURL are commonly used by Linux programs to download code and data. Most of the time, their usage is entirely normal. Generally, because they use a list of URLs, they repeatedly download from the same locations. However, Wget and cURL are sometimes used to deliver Linux exploit payloads, and threat actors use these tools to download additional software and code. For these reasons, unusual URLs can indicate unauthorized downloads or threat activity.
Rule type: machine_learning
Machine learning job: linux_anomalous_network_url_activity_ecs
Machine learning anomaly threshold: 50
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-45m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- ML
Version: 3 (version history)
Added (Elastic Stack release): 7.7.0
Last modified (Elastic Stack release): 7.10.0
Rule authors: Elastic
Rule license: Elastic License
Potential false positives
editA new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert.
Rule version history
edit- Version 3 (7.10.0 release)
-
- Formatting only
- Version 2 (7.9.0 release)
-
- Formatting only