Spike in Network Traffic To a Country
editSpike in Network Traffic To a Country
editA machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.
Rule type: machine_learning
Machine learning job: high_count_by_destination_country
Machine learning anomaly threshold: 75
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-30m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Network
- Threat Detection
- ML
Version: 100 (version history)
Added (Elastic Stack release): 7.13.0
Last modified (Elastic Stack release): 8.5.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editBusiness workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity.
Rule version history
edit- Version 100 (8.5.0 release)
-
- Formatting only
- Version 2 (7.14.0 release)
-
- Formatting only