I would like to set up alerts/investigation on any user/PC that is detected uploading a single file larger than say 1GB to the Internet… or a stream of large data (multiple files) to a single destination.
I did find the “Network Flow - Anomalous Data Transfer” detection rule and am attempting to modify it but I’m not clear on the exceptions part or what all I should configure. I’m part of a small IT team so I’m not super specialized/skilled with IDR beyond basic functions, though I am working on it.
Any help or pointers in the right direction will be helpful.
the ADT detection is based off of learning what is “normal” in your environment for a given asset. So it would potentially fire if the machine in question doesn’t normally upload that size of file to the given destination.
As far as reconfiguring it, I wouldn’t suggest that as the best approach. If you’d like us to take a look at building out a rule based on your log data I’d suggest raising a support case so we can hop on a call together
That was the impression I got, however the detection has had zero hits in 5+ years and I just uploaded a 1GB file somewhere and was thinking IT should really know about large files being uploaded. I understand the built-in rule looks for anomalies relative to a baseline, and maybe hasn’t seen them yet, but I would really like to know how to either change this rule or create a custom one that will alert on users uploading large files of a specific size, so we have that visibility. Any suggestions?
Do you not have a rule called “Exfiltration - Anomalous Outgoing Data Transfer (1GB+)” in your detection rule library? I do, and we use it and it has been helpful…
I believe the Default rule action there is set to Off.
@David_Williams If you could confirm the above rule is set to Creates Investigation and that you have a working Network Sensor, that is capturing the traffic from your machine.
If the rule was previously Off and you enable it, I’d suggest re-trying the upload once more.