IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Unusual Network Connection via RunDLL32 Unusual Parent Process for cmd.exe »
Elastic Docs Elastic Security Solution [8.8] Detections and alerts Prebuilt rule reference

Unusual Network Destination Domain Name

edit

Unusual Network Destination Domain Name

edit

A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-45m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Use Case: Threat Detection
  • Rule Type: ML
  • Rule Type: Machine Learning

Version: 103

Rule authors:

  • Elastic

Rule license: Elastic License v2

« Unusual Network Connection via RunDLL32 Unusual Parent Process for cmd.exe »