IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
IPSEC NAT Traversal Port Activity
editIPSEC NAT Traversal Port Activity
editThis rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.
Rule type: query
Rule indices:
- packetbeat-*
- auditbeat-*
- filebeat-*
- logs-network_traffic.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Tactic: Command and Control
- Domain: Endpoint
- Use Case: Threat Detection
Version: 104
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
edit(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/