From e74927933ea557e2243d9a3f134a4c5571be2d90 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 10 Dec 2025 09:46:33 +0000 Subject: [PATCH 01/15] [New] Suricata and Elastic Defend - Command and Control Correlation This detection correlates Suricata alerts and events with Elastic Defend network events to identify the source process performing the network activity. --- ...nd_control_suricata_elastic_defend_c2.toml | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml new file mode 100644 index 00000000000..75fb131cb87 --- /dev/null +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -0,0 +1,82 @@ +[metadata] +creation_date = "2025/12/10" +integration = ["endpoint", "suricata"] +maturity = "production" +updated_date = "2025/12/10" + +[rule] +author = ["Elastic"] +description = """ +This detection correlates Suricata alerts and events with Elastic Defend network events to identify the source process +performing the network activity. +""" +from = "now-9m" +index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"] +language = "eql" +license = "Elastic License v2" +name = "Suricata and Elastic Defend - Command and Control Correlation" +references = [ + "https://attack.mitre.org/tactics/TA0011/", + "https://www.elastic.co/docs/reference/integrations/panw", + "https://www.elastic.co/docs/reference/integrations/endpoint" +] +risk_score = 47 +rule_id = "9edd000e-cbd1-4d6a-be72-2197b5625a05" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Suricata", + "Resources: Investigation Guide", +] +type = "eql" +query = ''' +sequence by source.port, source.ip, destination.ip with maxspan=1m + [network where event.module == "suricata" and source.ip != nulll and destination.ip != null and + message in ("Command and Control Traffic", "Potentially Bad Traffic", "A Network Trojan was detected", "Detection of a Network Scan", + "Domain Observed Used for C2 Detected", "Malware Command and Control Activity Detected", "Misc Attack", + "Device Retrieving External IP Address Detected", "Attempted Information Leak", "Web Application Attack", + "SQL Injection Attempt", "Attempted User Privilege Gain", "Attempted Administrator Privilege Gain", + "Executable code was detected", "Webshell Tool Traffic", "Possibly Unwanted Program Detected", "A system call was detected", + "Unknown Traffic", "Crypto Currency Mining Activity Detected", "Possible Social Engineering Attempted")] + [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")] +''' +note = """## Triage and analysis + +### Investigating Suricata and Elastic Defend - Command and Control Correlation + +### Possible investigation steps + +- Investigate in the Timeline feature the two events matching this correlation (Suricata and Elastic Defend). +- Review the process details like command_line, privileges, global relevance and reputation. +- Assess the destination.ip reputation and global relevance. +- Review the parent process execution details like command_line, global relevance and reputation. +- Examine all network connection details performed by the process during last 48h. +- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity. + +### False positive analysis + +- Trusted system or third party processes performing network activity that looks like beaconing. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration. +- Terminate the suspicious processes and all associated children and parents. +- Implement network-level controls to block traffic to the destination.ip. +- Conduct a thorough review of the system's configuration files to identify unauthorized changes. +- Reset credentials for any accounts associated with the source machine. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. +""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" From e5eee696cb16d781c2846b75c1fa736ce122900a Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 10 Dec 2025 10:05:11 +0000 Subject: [PATCH 02/15] Update command_and_control_suricata_elastic_defend_c2.toml --- .../command_and_control_suricata_elastic_defend_c2.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 75fb131cb87..2cc548cb834 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -25,6 +25,7 @@ rule_id = "9edd000e-cbd1-4d6a-be72-2197b5625a05" severity = "medium" tags = [ "Domain: Endpoint", + "Domain: Network", "OS: Linux", "OS: Windows", "OS: macOS", From 3c718b566e0f76223ba1ff3dead1b44412a0d0d5 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 10 Dec 2025 10:05:51 +0000 Subject: [PATCH 03/15] Update command_and_control_suricata_elastic_defend_c2.toml --- .../command_and_control_suricata_elastic_defend_c2.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 2cc548cb834..89ae3013c02 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -14,7 +14,7 @@ from = "now-9m" index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"] language = "eql" license = "Elastic License v2" -name = "Suricata and Elastic Defend - Command and Control Correlation" +name = "Suricata and Elastic Defend Network Correlation" references = [ "https://attack.mitre.org/tactics/TA0011/", "https://www.elastic.co/docs/reference/integrations/panw", @@ -49,7 +49,7 @@ sequence by source.port, source.ip, destination.ip with maxspan=1m ''' note = """## Triage and analysis -### Investigating Suricata and Elastic Defend - Command and Control Correlation +### Investigating Suricata and Elastic Defend Network Correlation ### Possible investigation steps From a56443fb29e132ace40d7130ee386ee05cdb5b29 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 10 Dec 2025 11:15:16 +0000 Subject: [PATCH 04/15] Update command_and_control_suricata_elastic_defend_c2.toml --- .../command_and_control_suricata_elastic_defend_c2.toml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 89ae3013c02..87c1debd338 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -38,13 +38,7 @@ tags = [ type = "eql" query = ''' sequence by source.port, source.ip, destination.ip with maxspan=1m - [network where event.module == "suricata" and source.ip != nulll and destination.ip != null and - message in ("Command and Control Traffic", "Potentially Bad Traffic", "A Network Trojan was detected", "Detection of a Network Scan", - "Domain Observed Used for C2 Detected", "Malware Command and Control Activity Detected", "Misc Attack", - "Device Retrieving External IP Address Detected", "Attempted Information Leak", "Web Application Attack", - "SQL Injection Attempt", "Attempted User Privilege Gain", "Attempted Administrator Privilege Gain", - "Executable code was detected", "Webshell Tool Traffic", "Possibly Unwanted Program Detected", "A system call was detected", - "Unknown Traffic", "Crypto Currency Mining Activity Detected", "Possible Social Engineering Attempted")] + [network where event.module == "suricata" and source.ip != null and destination.ip != null] [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")] ''' note = """## Triage and analysis From 34dbd8f77c31ac7637bebed43364f452bdc8f87e Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 10 Dec 2025 11:31:47 +0000 Subject: [PATCH 05/15] Update command_and_control_suricata_elastic_defend_c2.toml --- .../command_and_control_suricata_elastic_defend_c2.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 87c1debd338..8f6bb28d1cc 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -11,13 +11,13 @@ This detection correlates Suricata alerts and events with Elastic Defend network performing the network activity. """ from = "now-9m" -index = ["logs-endpoint.events.network-*", "logs-panw.panos-*"] +index = ["logs-endpoint.events.network-*", "filebeat-*"] language = "eql" license = "Elastic License v2" name = "Suricata and Elastic Defend Network Correlation" references = [ "https://attack.mitre.org/tactics/TA0011/", - "https://www.elastic.co/docs/reference/integrations/panw", + "https://www.elastic.co/docs/reference/integrations/suricata", "https://www.elastic.co/docs/reference/integrations/endpoint" ] risk_score = 47 From 1d2d7ed170ef63e11ae861d9d0cb42f69bbc602e Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 10 Dec 2025 14:05:17 +0000 Subject: [PATCH 06/15] Update command_and_control_suricata_elastic_defend_c2.toml --- .../command_and_control_suricata_elastic_defend_c2.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 8f6bb28d1cc..29ed7dbf937 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -32,7 +32,6 @@ tags = [ "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", - "Data Source: Suricata", "Resources: Investigation Guide", ] type = "eql" From f33a87902aa130025e37ff20ff82fb56835313d8 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 10 Dec 2025 14:14:43 +0000 Subject: [PATCH 07/15] Update command_and_control_suricata_elastic_defend_c2.toml --- .../command_and_control_suricata_elastic_defend_c2.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 29ed7dbf937..f3091476fdc 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2025/12/10" -integration = ["endpoint", "suricata"] +integration = ["endpoint"] maturity = "production" updated_date = "2025/12/10" @@ -32,6 +32,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", + "Data Source: Suricata", "Resources: Investigation Guide", ] type = "eql" From a4ae0de5661fd7da9f4d9b22d1751252d84cd123 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 10 Dec 2025 14:42:17 +0000 Subject: [PATCH 08/15] Update command_and_control_suricata_elastic_defend_c2.toml --- .../command_and_control_suricata_elastic_defend_c2.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index f3091476fdc..fafb2f868f1 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -38,7 +38,7 @@ tags = [ type = "eql" query = ''' sequence by source.port, source.ip, destination.ip with maxspan=1m - [network where event.module == "suricata" and source.ip != null and destination.ip != null] + [network where event.module == "suricata" and event.category == "intrusion_detection" and source.ip != null and destination.ip != null] [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")] ''' note = """## Triage and analysis From ca8d32d8f9c44af0d7148f5d54dca85760e33ed6 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 10 Dec 2025 14:45:44 +0000 Subject: [PATCH 09/15] Update command_and_control_suricata_elastic_defend_c2.toml --- .../command_and_control_suricata_elastic_defend_c2.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index fafb2f868f1..41bb2c2c74a 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -38,7 +38,7 @@ tags = [ type = "eql" query = ''' sequence by source.port, source.ip, destination.ip with maxspan=1m - [network where event.module == "suricata" and event.category == "intrusion_detection" and source.ip != null and destination.ip != null] + [network where event.module == "suricata" and event.category == "intrusion_detection" and event.kind == "alert" and source.ip != null and destination.ip != null] [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")] ''' note = """## Triage and analysis From 141b5434813c43b6601fcde3bf64fa7ba86c2463 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 10 Dec 2025 14:48:57 +0000 Subject: [PATCH 10/15] Update command_and_control_suricata_elastic_defend_c2.toml --- .../command_and_control_suricata_elastic_defend_c2.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 41bb2c2c74a..5e55d545456 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -11,7 +11,7 @@ This detection correlates Suricata alerts and events with Elastic Defend network performing the network activity. """ from = "now-9m" -index = ["logs-endpoint.events.network-*", "filebeat-*"] +index = ["logs-endpoint.events.network-*", "filebeat-*", "logs-suricata.*"] language = "eql" license = "Elastic License v2" name = "Suricata and Elastic Defend Network Correlation" From 87a0ff15f4a045183e74ccf749f2718b0b102533 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 10 Dec 2025 14:51:39 +0000 Subject: [PATCH 11/15] Update command_and_control_suricata_elastic_defend_c2.toml --- .../command_and_control_suricata_elastic_defend_c2.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 5e55d545456..e07bdbc0277 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -7,8 +7,8 @@ updated_date = "2025/12/10" [rule] author = ["Elastic"] description = """ -This detection correlates Suricata alerts and events with Elastic Defend network events to identify the source process -performing the network activity. +This detection correlates Suricata alerts with Elastic Defend network events to identify the source process performing +the network activity. """ from = "now-9m" index = ["logs-endpoint.events.network-*", "filebeat-*", "logs-suricata.*"] From b14c1b858e9a9a40aaa9a15fe06535cda3ddc438 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 10 Dec 2025 07:10:18 -0800 Subject: [PATCH 12/15] Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml --- .../command_and_control_suricata_elastic_defend_c2.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index e07bdbc0277..bc71164d0f5 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2025/12/10" -integration = ["endpoint"] +integration = ["endpoint", "suricata"] maturity = "production" updated_date = "2025/12/10" From e7a1ab8faa19639d539d1da84026fa9f1079b1aa Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 10 Dec 2025 15:20:30 +0000 Subject: [PATCH 13/15] Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- .../command_and_control_suricata_elastic_defend_c2.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index bc71164d0f5..f615911486e 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -38,7 +38,7 @@ tags = [ type = "eql" query = ''' sequence by source.port, source.ip, destination.ip with maxspan=1m - [network where event.module == "suricata" and event.category == "intrusion_detection" and event.kind == "alert" and source.ip != null and destination.ip != null] + [network where event.module == "suricata" and event.kind == "alert" and event.severity != 3 and source.ip != null and destination.ip != null] [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")] ''' note = """## Triage and analysis From a14651d6eebeff518d3ab2fb0d8331a64ce21c99 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 10 Dec 2025 16:01:17 +0000 Subject: [PATCH 14/15] Update command_and_control_suricata_elastic_defend_c2.toml --- .../command_and_control_suricata_elastic_defend_c2.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index f615911486e..8b2039ef8a2 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2025/12/10" -integration = ["endpoint", "suricata"] +integration = ["endpoint"] maturity = "production" updated_date = "2025/12/10" From a2a678620aee40af3ea36bf44f278c8c33927b87 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 10 Dec 2025 16:24:57 +0000 Subject: [PATCH 15/15] Update command_and_control_suricata_elastic_defend_c2.toml --- .../command_and_control_suricata_elastic_defend_c2.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml index 8b2039ef8a2..f615911486e 100644 --- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml +++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2025/12/10" -integration = ["endpoint"] +integration = ["endpoint", "suricata"] maturity = "production" updated_date = "2025/12/10"