IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Spike in Network Traffic Suspicious DLL Loaded for Persistence or Privilege Escalation »

› ›

Spike in Network Traffic To a Country

edit

Spike in Network Traffic To a Country

edit

A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-30m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html

Tags:

Elastic
Network
Threat Detection
ML

version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

« Spike in Network Traffic Suspicious DLL Loaded for Persistence or Privilege Escalation »