THIS IS A EXPERIMENTAL DETECTION
This detection has been marked experimental by the Splunk Threat Research team. This means we have not been able to test, simulate, or build datasets for this detection. Use at your own risk. This analytic is NOT supported.
Insider might conduct information collection before data exfiltration, and unusual volume of data download from internal server is an indicator of such potential threat. This detection evaluates the total bytes downloaded from internal servers at specific time window per entity level, and then flagged these that are higher than 99.999% percentile as an anamaly. A behavior will be reported as long as the downloaded byte volume is unusual even though that operation is benign, which causes false positive. It is therefore advised to adjust threshold and time window based on detection performance whenever necessary. It should be noted that seasonality is not modeled in the current approach.
- Type: Anomaly
- Product: Splunk Behavioral Analytics
- Datamodel: Network_Traffic
- Last Updated: 2022-01-17
- Author: Xiao Lin, Splunk
- ID: cca028f4-77dd-11ec-bc09-acde48001122
Kill Chain Phase
- CIS 13
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | from read_ssa_enriched_events() | eval sourcetype = ucast(map_get(input_event, "sourcetype"), "string", null) | eval timestamp = parse_long(ucast(map_get(input_event, "_time"), "string", null)) | where sourcetype == "pan:traffic" | eval src_device_scope =ucast(map_get(input_event, "src_device_scope"), "string", null) | eval dest_device_scope=ucast(map_get(input_event, "dest_device_scope"), "string", null) | where src_device_scope IS NOT NULL AND dest_device_scope IS NOT NULL | eval dest_device = ucast(map_get(input_event, "dest_device_ips"), "collection<string>", ) | where dest_device IS NOT NULL AND dest_device_scope == "INTERNAL" | eval src_device = ucast(map_get(input_event, "src_device_ips"), "collection<string>", ) | where src_device IS NOT NULL AND src_device_scope == "INTERNAL" | eval bytes_in = ucast(map_get(input_event, "bytes_in"), "integer", 0) | eval download_bytes = cast(bytes_in, "double") | eval tenant = ucast(map_get(input_event, "_tenant"), "string", null) | eval event_id = ucast(map_get(input_event, "event_id"), "string", null) | adaptive_threshold algorithm="quantile" value="download_bytes" entity="dest_device" window=86400000L | where label AND quantile>0.99999 | eval end_time = timestamp | eval start_time = end_time - 86400000 | eval body = create_map(["event_id", event_id, "tenant", tenant]) | eval entities=mvappend(dest_device) | into write_ssa_detected_events();
The SPL above uses the following Macros:
unusual_volume_of_data_download_from_internal_server_per_entity_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
Ingest PAN traffic logs
Known False Positives
Benign large volume data download might be flagged as (false) positive.
Associated Analytic Story
|25.0||50||50||$src_device_ip downloaded unusually amount of data from internal server within one day|
source | version: 1