Potential Data Exfiltration Activity to an Unusual ISO Code

edit

Potential Data Exfiltration Activity to an Unusual ISO Code

edit

A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-6h (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Use Case: Data Exfiltration Detection
  • Rule Type: ML
  • Rule Type: Machine Learning
  • Tactic: Exfiltration

Version: 4

Rule authors:

  • Elastic

Rule license: Elastic License v2

Setup

edit

Setup

The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).

Data Exfiltration Detection Setup

The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic’s Anomaly Detection feature.

Prerequisite Requirements:

  • Fleet is required for Data Exfiltration Detection.
  • To configure Fleet Server refer to the documentation.
  • Network events collected by the Elastic Defend or Network Packet Capture integration.
  • To install Elastic Defend, refer to the documentation.
  • To add the Network Packet Capture integration to an Elastic Agent policy, refer to this guide.

The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:

  • Go to the Kibana homepage. Under Management, click Integrations.
  • In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
  • Follow the instructions under the Installation section.
  • For this rule to work, complete the instructions through Add preconfigured anomaly detection jobs.

Framework: MITRE ATT&CKTM