IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential DNS Tunneling via Iodine
editPotential DNS Tunneling via Iodine
editIodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.
Rule type: query
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Linux
- Threat Detection
Version: 6 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.11.2
Rule authors: Elastic
Rule license: Elastic License
Potential false positives
editNormal use of Iodine is uncommon apart from security testing and research. Use by non-security engineers is very uncommon.
Rule query
editevent.category:process and event.type:(start or process_started) and process.name:(iodine or iodined)
Rule version history
edit- Version 6 (7.11.2 release)
-
- Formatting only
- Version 5 (7.10.0 release)
-
- Formatting only
- Version 4 (7.9.1 release)
-
- Formatting only
- Version 3 (7.9.0 release)
-
-
Updated query, changed from:
process.name:(iodine or iodined) and event.action:executed
-
- Version 2 (7.7.0 release)
-
-
Updated query, changed from:
process.name: (iodine or iodined) and event.action:executed
-