EXPLORE
Sign In
← Back to Explore
elasticmediumTTP

Suricata and Elastic Defend Network Correlation

This detection correlates Suricata alerts with Elastic Defend network events to identify the source process performing the network activity.

MITRE ATT&CK

T1071T1571T1046
command-and-controldiscovery

Detection Query

sequence by source.port, source.ip, destination.ip with maxspan=5s
 [network where data_stream.dataset == "suricata.eve" and event.kind == "alert" and
  event.severity != 3 and source.ip != null and destination.ip != null and
  not source.domain : ("*nessusscan*", "SCCMPS*") and
  not rule.name in ("ET INFO SMB2 NT Create AndX Request For a Powershell .ps1 File", "ET SCAN MS Terminal Server Traffic on Non-standard Port")]
 [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted") and
  not process.executable in ("System", "C:\\Program Files (x86)\\Admin Arsenal\\PDQ Inventory\\PDQInventoryService.exe") and 
  not process.executable : "C:\\Windows\\AdminArsenal\\PDQInventory-Scanner\\service-*\\exec\\PDQInventoryScanner.exe"]

Author

Elastic

Created

2025/12/10

Data Sources

Elastic DefendSuricatalogs-endpoint.events.network-*filebeat-*logs-suricata.*

References

Tags

Domain: EndpointDomain: NetworkOS: LinuxOS: WindowsOS: macOSUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendData Source: SuricataResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2025/12/10"
integration = ["endpoint", "suricata"]
maturity = "production"
updated_date = "2026/04/10"

[rule]
author = ["Elastic"]
description = """
This detection correlates Suricata alerts with Elastic Defend network events to identify the source process performing
the network activity.
"""
from = "now-9m"
index = ["logs-endpoint.events.network-*", "filebeat-*", "logs-suricata.*"]
language = "eql"
license = "Elastic License v2"
name = "Suricata and Elastic Defend Network Correlation"
references = [
    "https://attack.mitre.org/tactics/TA0011/",
    "https://www.elastic.co/docs/reference/integrations/suricata",
    "https://www.elastic.co/docs/reference/integrations/endpoint"
]
risk_score = 47
rule_id = "9edd000e-cbd1-4d6a-be72-2197b5625a05"
severity = "medium"
tags = [
    "Domain: Endpoint",
    "Domain: Network",
    "OS: Linux",
    "OS: Windows",
    "OS: macOS",
    "Use Case: Threat Detection",
    "Tactic: Command and Control",
    "Data Source: Elastic Defend",
    "Data Source: Suricata",
    "Resources: Investigation Guide",
]
type = "eql"
query = '''
sequence by source.port, source.ip, destination.ip with maxspan=5s
 [network where data_stream.dataset == "suricata.eve" and event.kind == "alert" and
  event.severity != 3 and source.ip != null and destination.ip != null and
  not source.domain : ("*nessusscan*", "SCCMPS*") and
  not rule.name in ("ET INFO SMB2 NT Create AndX Request For a Powershell .ps1 File", "ET SCAN MS Terminal Server Traffic on Non-standard Port")]
 [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted") and
  not process.executable in ("System", "C:\\Program Files (x86)\\Admin Arsenal\\PDQ Inventory\\PDQInventoryService.exe") and 
  not process.executable : "C:\\Windows\\AdminArsenal\\PDQInventory-Scanner\\service-*\\exec\\PDQInventoryScanner.exe"]
'''
note = """## Triage and analysis

### Investigating Suricata and Elastic Defend Network Correlation

### Possible investigation steps

- Investigate in the Timeline feature the two events matching this correlation (Suricata and Elastic Defend).
- Review the process details like command_line, privileges, global relevance and reputation.
- Assess the destination.ip reputation and global relevance.
- Review the parent process execution details like command_line, global relevance and reputation.
- Examine all network connection details performed by the process during last 48h.
- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.

### False positive analysis

- Trusted system or third party processes performing network activity that looks like beaconing.

### Response and remediation

- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
- Terminate the suspicious processes and all associated children and parents.
- Implement network-level controls to block traffic to the destination.ip.
- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
- Reset credentials for any accounts associated with the source machine.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
"""

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"

[[rule.threat.technique]]
id = "T1571"
name = "Non-Standard Port"
reference = "https://attack.mitre.org/techniques/T1571/"

[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"

[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"