elastic · Samirbous · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025
diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml
@@ -0,0 +1,77 @@
+[metadata]
+creation_date = "2025/12/10"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/12/10"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection correlates Suricata alerts with Elastic Defend network events to identify the source process performing
+the network activity.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*", "filebeat-*", "logs-suricata.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suricata and Elastic Defend Network Correlation"
+references = [
+    "https://attack.mitre.org/tactics/TA0011/",
+    "https://www.elastic.co/docs/reference/integrations/suricata",
+    "https://www.elastic.co/docs/reference/integrations/endpoint"
+]
+risk_score = 47
+rule_id = "9edd000e-cbd1-4d6a-be72-2197b5625a05"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "Domain: Network",
+    "OS: Linux",
+    "OS: Windows",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Data Source: Suricata",
+    "Resources: Investigation Guide",
+]
+type = "eql"
+query = '''
+sequence by source.port, source.ip, destination.ip with maxspan=1m
+ [network where event.module == "suricata" and event.category == "intrusion_detection" and event.kind == "alert" and source.ip != null and destination.ip != null]
+ [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
+'''
+note = """## Triage and analysis
+
+### Investigating Suricata and Elastic Defend Network Correlation
+
+### Possible investigation steps
+
+- Investigate in the Timeline feature the two events matching this correlation (Suricata and Elastic Defend).
+- Review the process details like command_line, privileges, global relevance and reputation.
+- Assess the destination.ip reputation and global relevance.
+- Review the parent process execution details like command_line, global relevance and reputation.
+- Examine all network connection details performed by the process during last 48h.
+- Correlate the alert with other security events or logs to identify any patterns or additional indicators of compromise related to the same process or network activity.
+
+### False positive analysis
+
+- Trusted system or third party processes performing network activity that looks like beaconing.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate the suspicious processes and all associated children and parents.
+- Implement network-level controls to block traffic to the destination.ip.
+- Conduct a thorough review of the system's configuration files to identify unauthorized changes.
+- Reset credentials for any accounts associated with the source machine.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+"""
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"