New

The executive guide to generative AI

Read more

Inbound Connection to an Unsecure Elasticsearch Node

edit

Inbound Connection to an Unsecure Elasticsearch Node

edit

Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.

Rule type: query

Rule indices:

  • auditbeat-*
  • filebeat-*
  • packetbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Network
  • Threat Detection
  • Initial Access
  • Host

Version: 5

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit
## Config

This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.

Rule query

edit
event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:"image/x-icon" AND NOT _exists_:http.request.headers.authorization

Framework: MITRE ATT&CKTM

Was this helpful?
Feedback