Spike in Number of Connections Made from a Source IP

edit

Spike in Number of Connections Made from a Source IP

edit

A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of valuable assets, data, or further access points.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-12h (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Use Case: Lateral Movement Detection
  • Rule Type: ML
  • Rule Type: Machine Learning
  • Tactic: Lateral Movement

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Framework: MITRE ATT&CKTM