IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.
Rule type: machine_learning
Machine learning job: packetbeat_rare_server_domain
Machine learning anomaly threshold: 50
Risk score: 21
Runs every: 15 minutes
Maximum signals per execution: 100
Added (Elastic Stack release): 7.7.0
Web activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in these cases.