Spike in Bytes Sent to an External Device via Airdrop

calendar May 28, 2024 · Use Case: Data Exfiltration Detection Rule Type: ML Rule Type: Machine Learning Tactic: Exfiltration  ·
Share on: linkedin copy

A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/09/22"
 3integration = ["ded", "endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8anomaly_threshold = 75
 9author = ["Elastic"]
10description = """
11A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical
12operational setting, there is usually a predictable pattern or a certain range of data that is written to external
13devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer
14activities.
15"""
16from = "now-2h"
17interval = "15m"
18license = "Elastic License v2"
19machine_learning_job_id = "ded_high_bytes_written_to_external_device_airdrop"
20name = "Spike in Bytes Sent to an External Device via Airdrop"
21references = [
22    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
23    "https://docs.elastic.co/en/integrations/ded",
24    "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
25]
26risk_score = 21
27rule_id = "e92c99b6-c547-4bb6-b244-2f27394bc849"
28setup = """## Setup
29
30The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).  
31
32### Data Exfiltration Detection Setup
33The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. 
34
35#### Prerequisite Requirements:
36- Fleet is required for Data Exfiltration Detection.
37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
38- File events collected by the Elastic Defend integration.
39- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
40
41#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
42- Go to the Kibana homepage. Under Management, click Integrations.
43- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
44- Follow the instructions under the **Installation** section.
45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
46"""
47severity = "low"
48tags = [
49    "Use Case: Data Exfiltration Detection",
50    "Rule Type: ML",
51    "Rule Type: Machine Learning",
52    "Tactic: Exfiltration",
53]
54type = "machine_learning"
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1011"
59name = "Exfiltration Over Other Network Medium"
60reference = "https://attack.mitre.org/techniques/T1011/"
61
62
63[rule.threat.tactic]
64id = "TA0010"
65name = "Exfiltration"
66reference = "https://attack.mitre.org/tactics/TA0010/"

References

Related rules

to-top