IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Unusual Network Destination Domain Name
editUnusual Network Destination Domain Name
editA machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.
Rule type: machine_learning
Machine learning job: packetbeat_rare_server_domain
Machine learning anomaly threshold: 50
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-45m (Date Math format, see also Additional look-back time)
Maximum signals per execution: 100
References:
Tags:
- Elastic
- ML
- Packetbeat
Version: 1
Added (Elastic Stack release): 7.7.0
Potential false positives
editWeb activity that occurs rarely in small quantities can trigger this signal. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this signal when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in these cases.