-
Notifications
You must be signed in to change notification settings - Fork 8k
/
rare_destination_country.json
executable file
·34 lines (34 loc) · 1.42 KB
/
rare_destination_country.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
{
"description": "Security: Network - looks for an unusual destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.",
"groups": ["security", "network"],
"analysis_config": {
"bucket_span": "15m",
"detectors": [
{
"detector_description": "Detects rare country names.",
"function": "rare",
"by_field_name": "destination.geo.country_name",
"detector_index": 0
}
],
"influencers": [
"destination.geo.country_name",
"destination.as.organization.name",
"source.ip",
"destination.ip"
]
},
"allow_lazy_open": true,
"analysis_limits": {
"model_memory_limit": "32mb"
},
"data_description": {
"time_field": "@timestamp"
},
"custom_settings": {
"created_by": "ml-module-security-network",
"security_app_display_name": "Network Traffic to Rare Destination Country",
"managed": true,
"job_revision": 4
}
}