« ImageLoad via Windows Update Auto Update Client Incoming DCOM Lateral Movement via MSHTA »
Elastic Docs Elastic Security Solution [8.16] Detections and alerts Prebuilt rule reference

Inbound Connection to an Unsecure Elasticsearch Node

edit

Inbound Connection to an Unsecure Elasticsearch Node

edit

Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.

Rule type: query

Rule indices:

  • packetbeat-*
  • logs-network_traffic.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Use Case: Threat Detection
  • Tactic: Initial Access
  • Domain: Endpoint

Version: 104

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Setup

edit

This rule requires the addition of port 9200 and send_all_headers to the HTTP protocol configuration in packetbeat.yml. See the References section for additional configuration documentation.

Rule query

edit
(event.dataset: network_traffic.http OR (event.category: network_traffic AND network.protocol: http)) AND
    status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:"image/x-icon" AND NOT
    _exists_:http.request.headers.authorization

Framework: MITRE ATT&CKTM

« ImageLoad via Windows Update Auto Update Client Incoming DCOM Lateral Movement via MSHTA »