The SIEM app is now a part of the Elastic Security solution.Clickhere to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will bereleased for this version.
TCP Port 8000 is commonly used for development environments of web serversoftware. It generally should not be exposed directly to the Internet. If youare running software like this on the Internet, you should consider placing itbehind a reverse proxy.
Rule type: query
Rule indices:
- filebeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Network
Version: 3 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.7.0
Because this port is in the ephemeral range, this rule may false under certainconditions, such as when a NATed web server replies to a client which has used aport in the range by coincidence. In this case, such servers can be excluded.Some applications may use this port but this is very uncommon and usuallyappears in local traffic using private IPs, which this rule does not match. Somecloud environments, particularly development environments, may use this portwhen VPNs or direct connects are not in use and cloud instances are accessedacross the Internet.
network.transport:tcp and destination.port:8000 andsource.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and notdestination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or192.168.0.0/16 or "::1")
Framework: MITRE ATT&CKTM
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Commonly Used Port
- ID: T1043
- Reference URL: https://attack.mitre.org/techniques/T1043/
- Version 3 (7.7.0 release)
Updated query, changed from:
network.transport: tcp and destination.port: 8000 and (network.direction: outbound or ( source.ip: (10.0.0.0/8 or172.16.0.0/12 or 192.168.0.0/16) and not destination.ip: (10.0.0.0/8or 172.16.0.0/12 or 192.168.0.0/16) ) )
- Version 2 (7.6.1 release)
- Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.