High count network denies (outbound traffic)

Goal

Detects unusually rare processes compared to other processes on the host, using a rare function that detest values that occur rarely on time or rarely for a population.

Description

Models occurrences of process activities on the host.

Looks for an unusually large spike in network traffic that was denied by network ACLs or firewall rules. Such a burst of denied traffic is usually either:

A misconfigured application or firewall, or
suspicious or malicious activity.

Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.

Characteristics

Name

Hi count network denies

Type

Network

Data source

Firewall

Required fields

sourceAddress

destinationPort

Using these two fields could result in noise alerts. In that case, include next field:

destination.geo.country_name

PreviousWindows rare process by host NextUnusual amount of outbound traffic (Data leak)

Last updated 3 months ago