Spike in Network Traffic
editSpike in Network Traffic
editA machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.
Rule type: machine_learning
Machine learning job: high_count_network_events
Machine learning anomaly threshold: 75
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-30m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Network
- Threat Detection
- ML
Version: 3 (version history)
Added (Elastic Stack release): 7.13.0
Last modified (Elastic Stack release): 7.15.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editBusiness workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert.
Rule version history
edit- Version 3 (7.15.0 release)
-
- Formatting only
- Version 2 (7.14.0 release)
-
- Formatting only