Command and Control (TA0011)(external, opens in a new tab or window)
Lateral Movement (TA0008)(external, opens in a new tab or window)
Initial Access (TA0001)(external, opens in a new tab or window)
network_traffic(external, opens in a new tab or window)
panw(external, opens in a new tab or window)
fortinet_fortigate(external, opens in a new tab or window)
pfsense(external, opens in a new tab or window)
text code block:(data_stream.dataset:(fortinet_fortigate.log or network_traffic.flow or panw.panos or pfsense.log or sonicwall_firewall.log or suricata.eve) or event.category:(network or network_traffic)) and event.type:(connection and not (denied or end)) and not event.action:(Reject or client-rst or connection-denied or connection-end or denied or deny or flow_denied or flow_dropped or flow_terminated or network_flow or server-rst or timeout) and not (event.action:netflow_flow and not network.packets > 1) and not network.application:(stretchoid-scanning or traceroute) and destination.port:23
Install detection rules in Elastic Security
Detect Accepted Default Telnet Port Connection in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).