Elastic Security Detection Rules

Unusual Network Connection to Suspicious Web Service

Last updated 4 months ago on 2025-08-26
Created 9 months ago on 2025-03-26

About

This rule monitors for the unusual occurrence of outbound network connections to suspicious webservice domains.
Tags
Domain: EndpointOS: macOSUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

Application Layer Protocol (T1071)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.network-*
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
event.category : "network" and host.os.type : "macos" and event.type : "start" and
destination.domain : (
    pastebin.* or
    paste.ee or
    ghostbin.com or
    drive.google.com or
    ?.docs.live.net or
    api.dropboxapi.* or
    content.dropboxapi.* or
    *dl.dropboxusercontent.* or
    api.onedrive.com or
    *.onedrive.org or
    onedrive.live.com or
    filebin.net or
    *.ngrok.io or
    ngrok.com or
    *.portmap.* or
    *serveo.net or
    *localtunnel.me or
    *pagekite.me or
    *localxpose.io or
    *notabug.org or
    rawcdn.githack.* or
    paste.nrecom.net or
    zerobin.net or
    controlc.com or
    requestbin.net or
    api.slack.com or
    slack-redir.net or
    slack-files.com or
    cdn.discordapp.com or
    discordapp.com or
    discord.com or
    apis.azureedge.net or
    cdn.sql.gg or
    ?.top4top.io or
    top4top.io or
    uplooder.net or
    *.cdnmegafiles.com or
    transfer.sh or
    updates.peer2profit.com or
    api.telegram.org or
    t.me or
    meacz.gq or
    rwrd.org or
    *.publicvm.com or
    *.blogspot.com or
    api.mylnikov.org or
    script.google.com or
    script.googleusercontent.com or
    paste4btc.com or
    workupload.com or
    temp.sh or
    filetransfer.io or
    gofile.io or
    store?.gofile.io or
    tiny.one or
    api.notion.com or
    *.sharepoint.com or
    *upload.ee or
    bit.ly or
    t.ly or
    cutt.ly or
    mbasic.facebook.com or
    api.gofile.io or
    file.io or
    api.anonfiles.com or
    api.trello.com or
    gist.githubusercontent.com or
    dpaste.com or
    *azurewebsites.net or
    *.zulipchat.com or
    *.4shared.com or
    filecloud.me or
    i.ibb.co or
    files.catbox.moe or
    *.getmyip.com or
    mockbin.org or
    webhook.site or
    run.mocky.io or
    *infinityfreeapp.com or
    free.keep.sh or
    tinyurl.com or
    ftpupload.net or
    lobfile.com or
    *.ngrok-free.app or
    myexternalip.com or
    yandex.ru or
    *.yandex.ru or
    *.aternos.me or
    cdn??.space or
    *.pcloud.com or
    mediafire.zip or
    urlz.fr or
    rentry.co or
    *.b-cdn.net or
    pastecode.dev or
    i.imgur.com or
    the.earth.li or
    *.trycloudflare.com
) and 
not (destination.domain : (*.sharepoint.com or *.azurewebsites.net or "onedrive.live.com" or *.b-cdn.net or api.onedrive.com or "drive.google.com" or *.blogspot.com) and process.code_signature.subject_name:(*Microsoft* or "Software Signing" or "Apple Mac OS Application Signing" or *VMware*) and process.code_signature.trusted:true) and 
not (process.code_signature.subject_name:(*Mozilla* or *Google* or *Brave* or *Opera* or "Software Signing" or *Zscaler* or *Browser*) and process.code_signature.trusted:true)  and 
not (destination.domain :("discord.com" or cdn.discordapp.com or "content.dropboxapi.com" or "dl.dropboxusercontent.com") and process.code_signature.subject_name :(*Discord* or *Dropbox*) and process.code_signature.trusted:true)

Install detection rules in Elastic Security

Detect Unusual Network Connection to Suspicious Web Service in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).