02 CSL Data Exfiltration Outbound Volume

id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e name: "Firewall Anomalous Outbound Data Volume - Exfiltration Risk" version: 1.0.0 kind: Scheduled description: | Detects internal hosts sending more than 500 MB to external destinations in a 24-hour period via Fortinet, Palo Alto, or Zscaler. Large outbound transfers that exceed typical baseline volumes are a strong indicator of data exfiltration, particularly when combined with unusual session counts or destination diversity. MITRE ATT&CK: T1048 (Exfiltration Over Alternative Protocol) severity: High requiredDataConnectors: - connectorId: CommonSecurityEvents dataTypes: - CommonSecurityLog queryFrequency: 1h queryPeriod: 1d triggerOperator: gt triggerThreshold: 0 tactics: - Exfiltration relevantTechniques: - T1048 query: | CommonSecurityLog | where TimeGenerated > ago(1d) | where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler") | where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP", "Reset-Both") | where isnotempty(SourceIP) and isnotempty(DestinationIP) | where ipv4_is_private(SourceIP) == true | where ipv4_is_private(DestinationIP) == false | summarize TotalBytesSent = sum(SentBytes), TotalBytesRecv = sum(ReceivedBytes), SessionCount = count(), DestIPs = make_set(DestinationIP, 20), DestPorts = make_set(DestinationPort, 10), HourlyBuckets = dcount(bin(TimeGenerated, 1h)), DeviceVendors = make_set(DeviceVendor) by SourceIP | extend TotalMBSent = round(toreal(TotalBytesSent) / 1048576, 2) | where TotalMBSent > 500 | order by TotalMBSent desc entityMappings: - entityType: IP fieldMappings: - identifier: Address columnName: SourceIP customDetails: TotalMBSent: TotalMBSent SessionCount: SessionCount HourlyBuckets: HourlyBuckets alertDetailsOverride: alertDisplayNameFormat: "Data Exfiltration Risk - {{SourceIP}} sent {{TotalMBSent}} MB outbound" alertDescriptionFormat: "Host {{SourceIP}} transmitted {{TotalMBSent}} MB to external destinations across {{SessionCount}} sessions. Possible data exfiltration activity." incidentConfiguration: createIncident: true groupingConfiguration: enabled: true reopenClosedIncident: false lookbackDuration: PT6H matchingMethod: Selected groupByEntities: - IP groupByAlertDetails: [] groupByCustomDetails: []

Explanation

This query is designed to detect potential data exfiltration activities by monitoring outbound data transfers from internal hosts to external destinations. Here's a simple breakdown of what it does:

Purpose: The query identifies internal hosts that send more than 500 MB of data to external destinations within a 24-hour period. This is considered a potential risk for data exfiltration.
Data Sources: It uses logs from security devices like Fortinet, Palo Alto Networks, and Zscaler.
Filtering Criteria:
- The data is collected from the last 24 hours.
- It only considers logs where the action was not blocked or denied.
- It focuses on traffic from private (internal) IPs to public (external) IPs.
Data Aggregation:
- It calculates the total bytes sent and received by each internal IP.
- It counts the number of sessions and unique destination IPs and ports.
- It also tracks the number of hourly data transfer occurrences.
Alert Conditions:
- If an internal host sends more than 500 MB of data, it triggers an alert.
- The alerts are sorted by the amount of data sent, in descending order.
Alert Details:
- The alert includes the source IP, the total MB sent, and the number of sessions.
- It provides a custom alert name and description indicating possible data exfiltration.
Incident Management:
- An incident is created for each alert.
- Incidents are grouped by the source IP to manage related alerts together.

Overall, this query helps security teams identify and respond to unusual and potentially harmful data transfers that could indicate data exfiltration attempts.

KQL Search

02 CSL Data Exfiltration Outbound Volume

Query

Explanation

Details

Actions