[New] Suricata and Elastic Defend - Command and Control Correlation

Samirbous · Samirbous · commit e74927933ea5 · 2025-12-10T09:46:33.000Z
This detection correlates Suricata alerts and events with Elastic Defend network events to identify the source process
performing the network activity.
diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml
@@ -0,0 +1,82 @@
+[metadata]
+creation_date = "2025/12/10"
+integration = ["endpoint", "suricata"]
+maturity = "production"
+updated_date = "2025/12/10"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection correlates Suricata alerts and events with Elastic Defend network events to identify the source process
+performing the network activity.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suricata and Elastic Defend - Command and Control Correlation"
+references = [
+    "https://attack.mitre.org/tactics/TA0011/",
+    "https://www.elastic.co/docs/reference/integrations/panw",
+    "https://www.elastic.co/docs/reference/integrations/endpoint"
+]
+risk_score = 47
+rule_id = "9edd000e-cbd1-4d6a-be72-2197b5625a05"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Data Source: Suricata",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+query = '''
+sequence by source.port, source.ip, destination.ip with maxspan=1m
+ [network where event.module == "suricata" and source.ip != nulll and destination.ip != null and
+  message in ("Command and Control Traffic", "Potentially Bad Traffic", "A Network Trojan was detected", "Detection of a Network Scan",
+              "Domain Observed Used for C2 Detected", "Malware Command and Control Activity Detected", "Misc Attack",
+              "Device Retrieving External IP Address Detected", "Attempted Information Leak", "Web Application Attack",
+              "SQL Injection Attempt", "Attempted User Privilege Gain", "Attempted Administrator Privilege Gain",
+              "Executable code was detected", "Webshell Tool Traffic", "Possibly Unwanted Program Detected", "A system call was detected",
+              "Unknown Traffic", "Crypto Currency Mining Activity Detected", "Possible Social Engineering Attempted")]
+ [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
+'''
+note = """## Triage and analysis
+
+### Investigating Suricata and Elastic Defend - Command and Control Correlation
+
+### Possible investigation steps
+
+- Investigate in the Timeline feature the two events matching this correlation (Suricata and Elastic Defend).
+- Review the process details like command_line, privileges, global relevance and reputation.
+- Assess the destination.ip reputation and global relevance.
+- Review the parent process execution details like command_line, global relevance and reputation.
+- Examine all network connection details performed by the process during last 48h.
+- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
+
+### False positive analysis
+
+- Trusted system or third party processes performing network activity that looks like beaconing.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate the suspicious processes and all associated children and parents.
+- Implement network-level controls to block traffic to the destination.ip.
+- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
+- Reset credentials for any accounts associated with the source machine.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+"""
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
