IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Potential Data Exfiltration Activity to an Unusual IP Address Potential Data Exfiltration Activity to an Unusual Region »

› ›

Potential Data Exfiltration Activity to an Unusual Destination Port

edit

Potential Data Exfiltration Activity to an Unusual Destination Port

edit

A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-6h (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Use Case: Data Exfiltration Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Exfiltration

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
Technique:
- Name: Exfiltration Over C2 Channel
- ID: T1041
- Reference URL: https://attack.mitre.org/techniques/T1041/

« Potential Data Exfiltration Activity to an Unusual IP Address Potential Data Exfiltration Activity to an Unusual Region »