IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Unusual Remote File Size
editUnusual Remote File Size
editA machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data into a single large file transfer.
Rule type: machine_learning
Rule indices: None
Severity: low
Risk score: 21
Runs every: 15m
Searches indices from: now-90m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Use Case: Lateral Movement Detection
- Rule Type: ML
- Rule Type: Machine Learning
- Tactic: Lateral Movement
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Exploitation of Remote Services
- ID: T1210
- Reference URL: https://attack.mitre.org/techniques/T1210/