[BUG] ESCU - Outbound Network Connection from Java Using Default Ports - Rule #3751
Description
Detects outbound network connections initiated by Java processes (java.exe, javaw.exe) to default ports commonly used by LDAP or RMI services (e.g., 389, 636, 1389, 1099).
Such activity may indicate attempts to perform JNDI lookups or remote class loading, which are often observed in exploitation of Java-based vulnerabilities (e.g., Log4Shell) or malicious Java applications communicating with external servers.
The original SPL uses a join on the process_id field between the Endpoint.Processes and Network_Traffic.All_Traffic datamodels.
However, due to the 50,000-row limit in subsearch results and ESCU's internal policy discouraging join operations—especially across network-related data models—it is recommended to replace the join with a direct filter using the All_Traffic.app field
Replace the join section with a where clause such as:
| tstats security_content_summariesonly count FROM datamodel=Network_Traffic.All_Traffic
where (All_Traffic.dest_port IN (389, 636, 1389, 1099))
AND All_Traffic.app IN ("*java.exe", "*javaw.exe")
This modification improves rule performance, reduces search cost, and increases accuracy by directly correlating network traffic generated by Java processes without exceeding subsearch limits.