Detection: High Volume of Bytes Out to Url

Description

The following analytic detects a high volume of outbound web traffic, specifically over 1GB of data sent to a URL within a 2-minute window. It leverages the Web data model to identify significant uploads by analyzing the sum of bytes out. This activity is significant as it may indicate potential data exfiltration by malware or malicious insiders. If confirmed as malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and loss of sensitive information. Immediate investigation is required to determine the legitimacy of the transfer and mitigate any potential threats.

1
2| tstats  `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out values(Web.user) as user values(Web.app) as app values(Web.dest) as dest from datamodel=Web by _time span=2m Web.url Web.src sourcetype 
3| search sum_bytes_out > 1070000000 
4| `drop_dm_object_name("Web")`
5| `high_volume_of_bytes_out_to_url_filter`

Data Source

Name Platform Sourcetype Source
Nginx Access N/A 'nginx:plus:kv' '/var/log/nginx/access.log'

Macros Used

Name Value
security_content_summariesonly summariesonly=summariesonly_config allow_old_summaries=oldsummaries_config fillnull_value=fillnull_config``
high_volume_of_bytes_out_to_url_filter search *
high_volume_of_bytes_out_to_url_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1567 Exfiltration Over Web Service Exfiltration
KillChainPhase.ACTIONS_ON_OBJECTIVES
NistCategory.DE_AE
Cis18Value.CIS_13
APT28
Magic Hound

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event True
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

To successfully implement this search you need to be ingesting information on Web traffic that include fields relavent for traffic into the Web datamodel. Please adjust the threshold for the sum of bytes out as per your environment and user behavior.

Known False Positives

This search may trigger false positives if there is a legitimate reason for a high volume of bytes out to a URL. We recommend to investigate these findings. Consider updating the filter macro to exclude the applications that are relevant to your environment.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
A high volume of bytes out to a URL $url$ was detected from src $src$ to dest $dest$. 9 30 30
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset /var/log/nginx/access.log nginx:plus:kv
Integration ✅ Passing Dataset /var/log/nginx/access.log nginx:plus:kv

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 3