ML package to detect data exfiltration in your network data.
What is an Elastic integration?
This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.
Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.
See the integrations quick start guides to get started:
The Data Exfiltration Detection (DED) package contains assets for detecting data exfiltration in network data. This package requires a Platinum subscription. Please ensure that you have a Trial or Platinum level subscription installed on your cluster before proceeding. This package is licensed under Elastic License v 2.0.
To download the assets, click Settings > Install Data Exfiltration Detection assets.
Then use these detection rules and anomaly detection jobs for data exfiltration detection.
In Machine Learning > Anomaly Detection, when you create a job, you should see an option to Use preconfigured jobs with a card for Data Exfiltration Detection. When you select the card, you will see a pre-configured anomaly detection job that you can enable depending on what makes the most sense for your environment.
To maximize the benefit of the Data Exfiltration Detection detection framework, activate the detection rules that are triggered when certain conditions for the anomaly detection jobs are satisfied. See the documentation for more information on importing and enabling the rules.
| Job | Description |
|---|---|
high-sent-bytes-destination-geo-city_name | A machine learning job to detect data exfiltration to an unusual geo-location (by city name) |
high-sent-bytes-destination-geo-continent_name | A machine learning job to detect data exfiltration to an unusual geo-location (by continent name) |
high-sent-bytes-destination-geo-country_iso_code | A machine learning job to detect data exfiltration to an unusual geo-location (by country iso code) |
high-sent-bytes-destination-geo-country_name | A machine learning job to detect data exfiltration to an unusual geo-location (by country name) |
high-sent-bytes-destination-ip | A machine learning job to detect data exfiltration to an unusual geo-location (by IP address) |
high-sent-bytes-destination-port | A machine learning job to detect data exfiltration to an unusual destination port |
high-sent-bytes-destination-region_name | A machine learning job to detect data exfiltration to an unusual geo-location (by region name) |
high-sent-bytes-destination-timezone | A machine learning job to detect data exfiltration to an unusual geo-location (by timezone) |
| Rule | Description |
|---|---|
Potential Data Exfiltration Activity to an Unusual City | An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual city. |
Potential Data Exfiltration Activity to an Unusual Country | An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual country. |
Potential Data Exfiltration Activity to an Unusual ISO Code | An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual country by its iso code. |
Potential Data Exfiltration Activity to an Unusual Region | An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual region name. |
Potential Data Exfiltration Activity to an Unusual Continent | An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual continent. |
Potential Data Exfiltration Activity to an Unusual Timezone | An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual timezone. |
Potential Data Exfiltration Activity to an Unusual IP Address | An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual IP address. |
Potential Data Exfiltration Activity to an Unusual Destination Port | An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual destination port. |
The Data Exfiltration Detection Dashboard is available under Analytics > Dashboard. This dashboard gives an overview of anomalies triggered for the data exfiltration detection package.
For the dashboard to work as expected, the following settings need to be configured in Kibana.
.ml-anomalies-shared.ml-anomalies-shared.ml-anomalies-sharedUsage in production requires that you have a license key that permits use of machine learning features.
| Version | Details |
|---|---|
1.0.1 | Enhancement View pull request Added categories and/or subcategories. |
1.0.0 | Enhancement View pull request Added dashboard and changed the datafeed of anomaly detection jobs |
0.0.2 | Enhancement View pull request Move package to GA, change the package title, change ML job groups and detection rule tags |
0.0.1 | Enhancement View pull request Initial release of the package |