Significant Data Ingress/Egress

Generally, one expects a client-server conversation to be greater on the download side rather than more data uploaded.  This search can detect greater upload than download over a time period, like a client sending significantly more data than it receives from a server (e.g. data ex-filtration).

For the best search results, query on a sourcetype that contains bytes/bytes_in/bytes_out fields.  The first two eval commands do the following: (1) create an upload and download field when upload bytes are greater than 5 times the download; (2) create a download field when download bytes are greater than 1.1 times the upload; (3) the else in both if statements is an empty string.

The second where command looks for uploads above a 2MB threshold for a sum of uploaded data.

The iplocation command identifies the geolocation details of the dest_ip field.

sourcetype=* AND bytes=*
| convert timeformat="%m/%d/%Y %H:%M" ctime(_time) as timeMin
| stats sum(bytes_in) as bytesIn sum(bytes_out) as bytesOut by timeMin src_ip dest_ip bytes
| eval uploadDelta=if(bytesOut>bytesIn*(5), "upload", "")
| eval downloadDelta=if(bytesIn>bytesOut*(1.1), "download", "")
| table timeMin src_ip dest_ip bytesIn downloadDelta bytesOut uploadDelta
| where (uploadDelta="upload")
| stats sum(bytesOut) as uploadBytes sum(bytesIn) as downloadBytes by src dest
| where uploadBytes>(2*1048576)
| iplocation dest_ip
| sort - uploadBytes
| eval "uploadBytes_deltaFactor_5"=if($uploadBytes$>1073741824, tostring(round($uploadBytes$/1073741824,2))+" GB", if($uploadBytes$>1048576, tostring(round($uploadBytes$/1048576,2))+" MB", if($uploadBytes$>1024, tostring(round($uploadBytes$/1024))+" KB", tostring($uploadBytes$)+" B")))
| eval "downloadBytes_deltaFactor_1.1"=if($downloadBytes$>1073741824, tostring(round($downloadBytes$/1073741824,2))+" GB", if($downloadBytes$>1048576, tostring(round($downloadBytes$/1048576,2))+" MB", if($downloadBytes$>1024, tostring(round($downloadBytes_deltaFactor_10$/1024))+" KB", tostring($downloadBytes$)+" B")))
| fields - uploadBytes - downloadBytes - lon - lat - City

 

Share This:
Tagged:

Leave A Comment?