IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Spike in Bytes Sent to an External Device Unusual Process Writing Data to an External Device »

› ›

Spike in Bytes Sent to an External Device via Airdrop

edit

Spike in Bytes Sent to an External Device via Airdrop

edit

A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-2h (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Use Case: Data Exfiltration Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Exfiltration

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
Technique:
- Name: Exfiltration Over Other Network Medium
- ID: T1011
- Reference URL: https://attack.mitre.org/techniques/T1011/

« Spike in Bytes Sent to an External Device Unusual Process Writing Data to an External Device »