Spike in Bytes Sent to an External Device

edit

A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-2h (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Use Case: Data Exfiltration Detection
  • Rule Type: ML
  • Rule Type: Machine Learning
  • Tactic: Exfiltration

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Setup

edit

Setup

The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).

Data Exfiltration Detection Setup

The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic’s Anomaly Detection feature.

Prerequisite Requirements:

  • Fleet is required for Data Exfiltration Detection.
  • To configure Fleet Server refer to the documentation.
  • File events collected by the Elastic Defend integration.
  • To install Elastic Defend, refer to the documentation.

The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:

  • Go to the Kibana homepage. Under Management, click Integrations.
  • In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
  • Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.

Anomaly Detection Setup

Before you can enable rules for Data Exfiltration Detection, you’ll need to enable the corresponding Anomaly Detection jobs. - Go to the Kibana homepage. Under Analytics, click Machine Learning. - Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your file events. For example, this would be logs-endpoint.events.* if you used Elastic Defend to collect events. - If the selected Data View contains events that match the query in this configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs". - Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.

Framework: MITRE ATT&CKTM