[New] Suricata and Elastic Defend Network Correlation (#5443)
* [New] Suricata and Elastic Defend - Command and Control Correlation This detection correlates Suricata alerts and events with Elastic Defend network events to identify the source process performing the network activity. * Update command_and_control_suricata_elastic_defend_c2.toml * Update command_and_control_suricata_elastic_defend_c2.toml * Update command_and_control_suricata_elastic_defend_c2.toml * Update command_and_control_suricata_elastic_defend_c2.toml * Update command_and_control_suricata_elastic_defend_c2.toml * Update command_and_control_suricata_elastic_defend_c2.toml * Update command_and_control_suricata_elastic_defend_c2.toml * Update command_and_control_suricata_elastic_defend_c2.toml * Update command_and_control_suricata_elastic_defend_c2.toml * Update command_and_control_suricata_elastic_defend_c2.toml * Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml * Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update command_and_control_suricata_elastic_defend_c2.toml * Update command_and_control_suricata_elastic_defend_c2.toml * add suricata to schemas * merge from main * reset schemas * Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
This commit is contained in:
Samirbous
@@ -0,0 +1,77 @@
|
||||
[metadata]
|
||||
creation_date = "2025/12/10"
|
||||
integration = ["endpoint", "suricata"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/12/10"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
This detection correlates Suricata alerts with Elastic Defend network events to identify the source process performing
|
||||
the network activity.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.network-*", "filebeat-*", "logs-suricata.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suricata and Elastic Defend Network Correlation"
|
||||
references = [
|
||||
"https://attack.mitre.org/tactics/TA0011/",
|
||||
"https://www.elastic.co/docs/reference/integrations/suricata",
|
||||
"https://www.elastic.co/docs/reference/integrations/endpoint"
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "9edd000e-cbd1-4d6a-be72-2197b5625a05"
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"Domain: Network",
|
||||
"OS: Linux",
|
||||
"OS: Windows",
|
||||
"OS: macOS",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Command and Control",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Suricata",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
type = "eql"
|
||||
query = '''
|
||||
sequence by source.port, source.ip, destination.ip with maxspan=1m
|
||||
[network where event.dataset == "suricata.eve" and event.kind == "alert" and event.severity != 3 and source.ip != null and destination.ip != null]
|
||||
[network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
|
||||
'''
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Suricata and Elastic Defend Network Correlation
|
||||
|
||||
### Possible investigation steps
|
||||
|
||||
- Investigate in the Timeline feature the two events matching this correlation (Suricata and Elastic Defend).
|
||||
- Review the process details like command_line, privileges, global relevance and reputation.
|
||||
- Assess the destination.ip reputation and global relevance.
|
||||
- Review the parent process execution details like command_line, global relevance and reputation.
|
||||
- Examine all network connection details performed by the process during last 48h.
|
||||
- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- Trusted system or third party processes performing network activity that looks like beaconing.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
|
||||
- Terminate the suspicious processes and all associated children and parents.
|
||||
- Implement network-level controls to block traffic to the destination.ip.
|
||||
- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
|
||||
- Reset credentials for any accounts associated with the source machine.
|
||||
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
|
||||
"""
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0011"
|
||||
name = "Command and Control"
|
||||
reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
Reference in New Issue
Block a user