SQL Traffic to the Internetedit

Detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.

Rule type: query

Rule indices:

  • filebeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100


  • Elastic
  • Network

Version: 3 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.7.0

Potential false positivesedit

Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet.

Rule queryedit

network.transport:tcp and destination.port:(1433 or 1521 or 3336 or
5432) and source.ip:( or or
and not destination.ip:( or or or or "::1")

Threat mappingedit


Rule version historyedit

Version 3 (7.7.0 release)

Updated query, changed from:

network.transport: tcp and destination.port: (1433 or 1521 or 3336 or
5432) and ( network.direction: outbound or ( source.ip: (
or or and not destination.ip:
( or or ) )
Version 2 (7.6.1 release)
  • Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.