Potential Data Exfiltration Activity to an Unusual Region

calendar Mar 11, 2024 · Use Case: Data Exfiltration Detection Rule Type: ML Rule Type: Machine Learning Tactic: Exfiltration  ·
Share on: linkedin copy

A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/09/22"
 3integration = ["ded", "endpoint", "network_traffic"]
 4maturity = "production"
 5min_stack_comments = "New rule"
 6min_stack_version = "8.9.0"
 7updated_date = "2023/12/12"
 8
 9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to
14geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command
15and control channels.
16"""
17from = "now-6h"
18interval = "15m"
19license = "Elastic License v2"
20machine_learning_job_id = "ded_high_sent_bytes_destination_region_name"
21name = "Potential Data Exfiltration Activity to an Unusual Region"
22setup = """## Setup
23
24The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).  
25
26### Data Exfiltration Detection Setup
27The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. 
28
29#### Prerequisite Requirements:
30- Fleet is required for Data Exfiltration Detection.
31- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
32- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.
33- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
34- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
35
36#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
37- Go to the Kibana homepage. Under Management, click Integrations.
38- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
39- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.
40
41#### Anomaly Detection Setup
42Before you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. 
43- Go to the Kibana homepage. Under Analytics, click Machine Learning.
44- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.
45- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under "Use preconfigured jobs".
46- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
47"""
48references = [
49    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
50    "https://docs.elastic.co/en/integrations/ded",
51    "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
52]
53risk_score = 21
54rule_id = "bfba5158-1fd6-4937-a205-77d96213b341"
55severity = "low"
56tags = [
57    "Use Case: Data Exfiltration Detection",
58    "Rule Type: ML",
59    "Rule Type: Machine Learning",
60    "Tactic: Exfiltration",
61]
62type = "machine_learning"
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1041"
67name = "Exfiltration Over C2 Channel"
68reference = "https://attack.mitre.org/techniques/T1041/"
69
70
71[rule.threat.tactic]
72id = "TA0010"
73name = "Exfiltration"
74reference = "https://attack.mitre.org/tactics/TA0010/"

References

Related rules

to-top