1{ 2 "anomaly_threshold": 25, 3 "author": [ 4 "Elastic" 5 ], 6 "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", 7 "false_positives": [ 8 "Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration." 9 ], 10 "from": "now-45m", 11 "interval": "15m", 12 "license": "Elastic License v2", 13 "machine_learning_job_id": "linux_network_connection_discovery", 14 "name": "Unusual Linux Network Connection Discovery", 15 "risk_score": 21, 16 "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", 17 "severity": "low", 18 "tags": [ 19 "Elastic", 20 "Host", 21 "Linux", 22 "Threat Detection", 23 "ML" 24 ], 25 "threat": [ 26 { 27 "framework": "MITRE ATT&CK", 28 "tactic": { 29 "id": "TA0007", 30 "name": "Discovery", 31 "reference": "https://attack.mitre.org/tactics/TA0007/" 32 }, 33 "technique": [ 34 { 35 "id": "T1049", 36 "name": "System Network Connections Discovery", 37 "reference": "https://attack.mitre.org/techniques/T1049/" 38 } 39 ] 40 } 41 ], 42 "type": "machine_learning", 43 "version": 2 44} 45