Significant Data Ingress/Egress

Generally, one expects a client-server conversation to be greater on the download side rather than more data uploaded.  This search can detect greater upload than download over a time period, like a client sending significantly more data than it receives from a server (e.g. data ex-filtration).

For the best search results, query on a sourcetype that contains bytes/bytes_in/bytes_out fields.  The first two eval commands do the following: (1) create an upload and download field when upload bytes are greater than 5 times the download; (2) create a download field when download bytes are greater than 1.1 times the upload; (3) the else in both if statements is an empty string.

The second where command looks for uploads above a 2MB threshold for a sum of uploaded data.

The iplocation command identifies the geolocation details of the dest_ip field.

 

Share This:

Leave A Comment?