New

The executive guide to generative AI

Read more

Inbound Connection to an Unsecure Elasticsearch Node

edit

Inbound Connection to an Unsecure Elasticsearch Node

edit

Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.

Rule type: query

Rule indices:

  • packetbeat-*
  • logs-network_traffic.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Use Case: Threat Detection
  • Tactic: Initial Access
  • Domain: Endpoint

Version: 102

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit
event.dataset: network_traffic.http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:"image/x-icon" AND NOT _exists_:http.request.headers.authorization

Framework: MITRE ATT&CKTM

Was this helpful?
Feedback