Spike in Firewall Denies
editSpike in Firewall Denies
editA machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.
Rule type: machine_learning
Machine learning job: high_count_network_denies
Machine learning anomaly threshold: 75
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-30m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Network
- Threat Detection
- ML
Version: 2 (version history)
Added (Elastic Stack release): 7.13.0
Last modified (Elastic Stack release): 7.14.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editA misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert.
Rule version history
edit- Version 2 (7.14.0 release)
-
- Formatting only