[Rule Tuning] Suspicious Network Connection Attempt by Root #2978
Comments
|
Hi @BenB196 once again, thanks for your detailed analysis! After giving this rule a look, I noticed that it also times out in my testing environments. As the main purpose of this rule is to detect malicious network connections, and we already have several rules in place (that we did not have when this rule was created), we decided to deprecate this rule (in #2985). This behavior will be detected by these new reverse shell rules: in conjunction with this new_terms rule to detect suspicious network activity from an unknown executable: Thanks for the heads up! |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment. |
Link to rule
https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
Description
This rule when run in large environments 500+ hosts, is never able to complete successfully and always times out.
I'm still not that great at EQL, so I don't really know the best solution here, but here is a bit more information that might be able to help some others improve this rule.
Example Data
Timeout Errors
If we look at how much data this rule deals with in its 9 minute window in the environment, we see there are ~40k events.
If we then look at the cardinality of
process.entity_idfor this same window, we see that of the ~40k events, there are ~15.5k uniqueprocess.entity_idvalues.The text was updated successfully, but these errors were encountered: