Command and Control (TA0011)(external, opens in a new tab or window)
text code block:sequence by source.port, source.ip, destination.ip with maxspan=5s [network where event.dataset == "suricata.eve" and event.kind == "alert" and event.severity != 3 and source.ip != null and destination.ip != null and not source.domain : ("*nessusscan*", "SCCMPS*") and not rule.name in ("ET INFO SMB2 NT Create AndX Request For a Powershell .ps1 File", "ET SCAN MS Terminal Server Traffic on Non-standard Port")] [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted") and not process.executable in ("System", "C:\\Program Files (x86)\\Admin Arsenal\\PDQ Inventory\\PDQInventoryService.exe") and not process.executable : "C:\\Windows\\AdminArsenal\\PDQInventory-Scanner\\service-*\\exec\\PDQInventoryScanner.exe"]
Install detection rules in Elastic Security
Detect Suricata and Elastic Defend Network Correlation in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).