Spike in Network Traffic To a Country

Last updated 7 months ago on 2025-01-15

Created 4 years ago on 2021-04-05

About

A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country that does not normally appear in network traffic or business workflows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.

Tags: Use Case: Threat DetectionRule Type: MLRule Type: Machine Learning
Severity: low
Risk Score: 21
False Positive Examples: Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity.
License: Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Machine Learning

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

endpoint(opens in a new tab or window)

network_traffic(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Spike in Network Traffic To a Country in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).