ID | Technique | Tactic |
---|---|---|
T1567 | Exfiltration Over Web Service | Exfiltration |
Detection: High Volume of Bytes Out to Url
Description
The following analytic detects a high volume of outbound web traffic, specifically over 1GB of data sent to a URL within a 2-minute window. It leverages the Web data model to identify significant uploads by analyzing the sum of bytes out. This activity is significant as it may indicate potential data exfiltration by malware or malicious insiders. If confirmed as malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and loss of sensitive information. Immediate investigation is required to determine the legitimacy of the transfer and mitigate any potential threats.
Search
1
2| tstats `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web by _time span=2m Web.url Web.src sourcetype
3| search sum_bytes_out > 1070000000
4| `drop_dm_object_name("Web")`
5| `high_volume_of_bytes_out_to_url_filter`
Data Source
Name | Platform | Sourcetype | Source | Supported App |
---|---|---|---|---|
Nginx Access | N/A | 'nginx:plus:kv' |
'/var/log/nginx/access.log' |
N/A |
Macros Used
Name | Value |
---|---|
security_content_summariesonly | summariesonly= summariesonly_config allow_old_summaries= oldsummaries_config fillnull_value= fillnull_config`` |
high_volume_of_bytes_out_to_url_filter | search * |
high_volume_of_bytes_out_to_url_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Enabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Risk Based Alerting | True |
Implementation
To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the Web
datamodel. Please adjust the threshold for the sum of bytes out as per your environment and user behavior.
Known False Positives
This search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a URL. We recommend to investigate these findings. Consider updating the filter macro to exclude the applications that are relevant to your environment.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
A high volume of bytes out to a URL $url$ was detected from src $src$ to dest $dest$. | 9 | 30 | 30 |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | /var/log/nginx/access.log |
nginx:plus:kv |
Integration | ✅ Passing | Dataset | /var/log/nginx/access.log |
nginx:plus:kv |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2