Deprecated TLS Version or Weak Cipher Negotiated Externally

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Deprecated TLS Version or Weak Cipher Negotiated Externally

edit

Identifies successful outbound TLS sessions that negotiate deprecated protocol versions (SSLv3, TLS 1.0, or TLS 1.1) or weak cipher suites such as RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Adversaries-in-the-middle and legacy malware often force these negotiations to decrypt or intercept traffic. Modern clients and services should negotiate TLS 1.2 or 1.3 with strong ciphers on internet-bound connections.

Rule type: new_terms

Rule indices:

  • logs-network_traffic.tls-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Network
  • Use Case: Network Security Monitoring
  • Use Case: Threat Detection
  • Data Source: Network Traffic
  • Tactic: Credential Access
  • Tactic: Command and Control
  • Resources: Investigation Guide

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Deprecated TLS Version or Weak Cipher Negotiated Externally

TLS downgrade and weak-cipher negotiation expose sessions to interception or decryption. This rule flags completed outbound TLS handshakes from internal hosts to external destinations that negotiated SSLv3, TLS 1.0, TLS 1.1, or a cipher suite containing RC4, 3DES, NULL, EXPORT, or anonymous key exchange material.

Possible investigation steps

  • Review source.ip, destination.ip, destination.port, tls.version, tls.version_protocol, and tls.cipher.
  • Determine whether the destination is a known legacy partner, vendor appliance, or unmanaged IoT device.
  • Check for concurrent alerts on the source host (credential access, C2, or proxy manipulation).
  • Compare against baseline: does this destination normally negotiate modern TLS from other clients?

False positive analysis

  • Exclude validated legacy B2B endpoints, mainframe gateways, or SCADA systems that cannot be upgraded immediately.
  • Some older mobile or embedded clients may still offer weak ciphers even when connecting to modern services; confirm whether the server accepted the weak option (this rule requires tls.established:true).

Response and remediation

  • Block or proxy traffic to the destination if downgrade appears attacker-driven.
  • Patch or replace the client or server that accepted deprecated TLS.
  • Enable TLS 1.2+ minimums on egress proxies and inspect for MITM appliances forcing weak negotiation.

Setup

edit

Setup

This rule requires TLS metadata from the Elastic network_traffic integration (network_traffic.tls data stream) that populates ECS tls.version, tls.version_protocol, tls.cipher, and tls.established fields.

Rule query

edit
data_stream.dataset:network_traffic.tls
  and network.protocol: tls
  and network.transport: tcp
  and tls.established: true
  and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
  and not destination.ip:(
    10.0.0.0/8 or
    100.64.0.0/10 or
    127.0.0.0/8 or
    169.254.0.0/16 or
    172.16.0.0/12 or
    192.0.0.0/24 or
    192.0.0.0/29 or
    192.0.0.10/32 or
    192.0.0.170/32 or
    192.0.0.171/32 or
    192.0.0.8/32 or
    192.0.0.9/32 or
    192.0.2.0/24 or
    192.168.0.0/16 or
    192.175.48.0/24 or
    192.31.196.0/24 or
    192.52.193.0/24 or
    192.88.99.0/24 or
    198.18.0.0/15 or
    198.51.100.0/24 or
    203.0.113.0/24 or
    224.0.0.0/4 or
    240.0.0.0/4 or
    "::1" or
    "FE80::/10" or
    "FF00::/8"
  )
  and (
    tls.version:(1.0 or 1.1) or
    (tls.version_protocol:ssl and tls.version:3.0) or
    (
      not tls.version:1.3 and (
        tls.cipher:(
          *RC4* or
          *3DES* or
          *NULL* or
          *EXPORT* or
          *_anon_* or
          *ADH* or
          *AECDH*
        )
      )
    )
  )

Framework: MITRE ATT&CKTM