Techniques
Sample rules
High Volume of Bytes Out to Url
- source: splunk
- technicques:
- T1567
Description
The following analytic detects high volume of bytes out (greater than 1GB) to a URL within 2 mins of time window. This may be indicative of an attacker attempting to exfiltrate data. The search applies a fundamental threshold for detecting significant web uploads. This approach aims to identify potential data exfiltration activities by malware or malevolent insiders. View the alert for $dest$ to investigate further.
Detection logic
| tstats `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web by _time span=2m Web.url Web.src sourcetype
| search sum_bytes_out > 1070000000
| `drop_dm_object_name("Web")`
| `high_volume_of_bytes_out_to_url_filter`