this search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a url. we recommend to investigate these findings. consider updating the filter macro to exclude the applications that are relevant to your environment.

t1567
endpoint
splunk

Techniques

T1567

Sample rules

High Volume of Bytes Out to Url

source: splunk
technicques:
- T1567

Description

The following analytic detects high volume of bytes out (greater than 1GB) to a URL within 2 mins of time window. This may be indicative of an attacker attempting to exfiltrate data. The search applies a fundamental threshold for detecting significant web uploads. This approach aims to identify potential data exfiltration activities by malware or malevolent insiders. View the alert for $dest$ to investigate further.

Detection logic


| tstats  `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web by _time span=2m Web.url Web.src sourcetype 
| search sum_bytes_out > 1070000000 
| `drop_dm_object_name("Web")`
| `high_volume_of_bytes_out_to_url_filter`