if you have front-facing proxies that provide authentication and tls, this rule would need to be tuned to eliminate the source ip address of your reverse-proxy.

t1190
network
elastic

Techniques

T1190

Sample rules

Inbound Connection to an Unsecure Elasticsearch Node

source: elastic
technicques:
- T1190

Description

Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.

Detection logic

(event.dataset: network_traffic.http OR (event.category: network_traffic AND network.protocol: http)) AND
    status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:"image/x-icon" AND NOT
    _exists_:http.request.headers.authorization