Unusual Network Destination Domain Name

Last updated 7 months ago on 2025-01-15

Created 5 years ago on 2020-03-25

About

A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.

Tags: Use Case: Threat DetectionRule Type: MLRule Type: Machine Learning
Severity: low
Risk Score: 21
False Positive Examples: Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these.
License: Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Machine Learning

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

auditd_manager(opens in a new tab or window)

endpoint(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Unusual Network Destination Domain Name in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).