Spike in Firewall Deniesedit
A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.
Rule type: machine_learning
Machine learning job: high-count-network-denies
Machine learning anomaly threshold: 75
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-30m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Network
- Threat Detection
- ML
Version: 1
Added (Elastic Stack release): 7.13.0
Rule authors: Elastic
Rule license: Elastic License
Potential false positivesedit
A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert.