Network Traffic to Rare Destination Country

Last updated 7 months ago on 2025-01-15

Created 4 years ago on 2021-04-05

About

A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.

Tags: Use Case: Threat DetectionRule Type: MLRule Type: Machine Learning
Severity: low
Risk Score: 21
False Positive Examples: Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert.
License: Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Machine Learning

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

endpoint(opens in a new tab or window)

network_traffic(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Network Traffic to Rare Destination Country in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).