@@ -854,6 +854,140 @@ Required ECS fields:::
854854
855855// end::security-linux-jobs[]
856856
857+ [discrete]
858+ [[security-network-jobs]]
859+ == Security: Network
860+
861+ These configurations are only available if data exists that matches the
862+ recognizer query specified in the
863+ https://github.com/elastic/kibana/blob/{branch}/x-pack/plugins/ml/server/models/data_recognizer/modules/security_network/manifest.json[manifest file].
864+
865+ Detect anomalous network activity in your ECS-compatible network logs.
866+
867+ // tag::security-network-jobs[]
868+ high_count_by_destination_country::
869+ Looks for an unusually large spike in network activity to one destination
870+ country in the network logs. This could be due to unusually large amounts of
871+ reconnaissance or enumeration traffic. Data exfiltration activity may also
872+ produce such a surge in traffic to a destination country which does not normally
873+ appear in network traffic or business work-flows. Malware instances and
874+ persistence mechanisms may communicate with command-and-control (C2)
875+ infrastructure in their country of origin, which may be an unusual destination
876+ country for the source network.
877+
878+ Job details:::
879+
880+ * Analyzes network activity logs where `event.category` is `network`.
881+ * Detects unusually high number of events by country (using the
882+ {ml-docs}/ml-count-functions.html#ml-nonzero-count[`high_non_zero` function]).
883+ * Works on ECS compatible events across multiple indices.
884+
885+ Required {beats} or {agent} integrations:::
886+
887+ * {elastic-endpoint} integration
888+ * {filebeat}
889+ * {packetbeat}
890+
891+ Required ECS fields:::
892+
893+ * `destination.as.organization.name`
894+ * `destination.geo.country_name`
895+ * `destination.ip`
896+ * `event.category`
897+ * `source.ip`
898+
899+ high_count_network_denies::
900+ Looks for an unusually large spike in network traffic that was denied by network
901+ access control lists (ACL) or firewall rules. Such a burst of denied traffic is
902+ usually either a misconfigured application or firewall, or suspicious or
903+ malicious activity. Unsuccessful attempts at network transit, in order to
904+ connect to command-and-control (C2), or engage in data exfiltration, may produce
905+ a burst of failed connections. This could also be due to unusually large amounts
906+ of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic
907+ floods may also produce such a surge in traffic.
908+
909+ Job details:::
910+
911+ * Analyzes network activity logs where `event.category` is `network` and
912+ `event.outcome` is `deny`.
913+ * Detects unusually high numbers of events (using the
914+ {ml-docs}/ml-count-functions.html#ml-count[`high_count` function]).
915+ * Works on ECS compatible events across multiple indices.
916+
917+ Required {beats} or {agent} integrations:::
918+
919+ * {elastic-endpoint} integration
920+ * {filebeat}
921+ * {packetbeat}
922+
923+ Required ECS fields:::
924+
925+ * `destination.as.organization.name`
926+ * `destination.geo.country_name`
927+ * `destination.port`
928+ * `event.category`
929+ * `event.outcome`
930+ * `source.ip`
931+
932+ high_count_network_events::
933+ Looks for an unusually large spike in network traffic. Such a burst of traffic,
934+ if not caused by a surge in business activity, can be due to suspicious or
935+ malicious activity. Large-scale data exfiltration may produce a burst of network
936+ traffic; this could also be due to unusually large amounts of reconnaissance or
937+ enumeration traffic. Denial-of-service attacks or traffic floods may also
938+ produce such a surge in traffic.
939+
940+ Job details:::
941+
942+ * Analyzes network activity logs where `event.category` is `network`.
943+ * Detects unusually high numbers of events (using the
944+ {ml-docs}/ml-count-functions.html#ml-count[`high_count` function]).
945+ * Works on ECS compatible events across multiple indices.
946+
947+ Required {beats} or {agent} integrations:::
948+
949+ * {elastic-endpoint} integration
950+ * {filebeat}
951+ * {packetbeat}
952+
953+ Required ECS fields:::
954+
955+ * `destination.as.organization.name`
956+ * `destination.geo.country_name`
957+ * `destination.port`
958+ * `event.category`
959+ * `source.ip`
960+
961+ rare_destination_country::
962+ Looks for an unusual destination country name in the network logs. This can be
963+ due to initial access, persistence, command-and-control, or exfiltration
964+ activity. For example, when a user clicks on a link in a phishing email or opens
965+ a malicious document, a request may be sent to download and run a payload from a
966+ server in a country which does not normally appear in network traffic or
967+ business work-flows. Malware instances and persistence mechanisms may
968+ communicate with command-and-control (C2) infrastructure in their country of
969+ origin, which may be an unusual destination country for the source network.
970+
971+ Job details:::
972+
973+ * Analyzes network activity logs where `event.category` is `network`.
974+ * Detects activity that is rare by country name (using the
975+ {ml-docs}/ml-rare-functions.html[`rare` function]).
976+ * Works on ECS compatible events across multiple indices.
977+
978+ Required {beats} or {agent} integrations:::
979+
980+ * {elastic-endpoint} integration
981+ * {filebeat}
982+ * {packetbeat}
983+
984+ Required ECS fields:::
985+
986+ * `destination.geo.country_name`
987+ * `event.category`
988+
989+ // end::security-network-jobs[]
990+
857991[discrete]
858992[[security-packetbeat-jobs]]
859993== Security: {packetbeat}
0 commit comments