IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Data Exfiltration Activity to an Unusual IP Addressedit
A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.
Rule type: machine_learning
Rule indices: None
Severity: low
Risk score: 21
Runs every: 15m
Searches indices from: now-6h (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Use Case: Data Exfiltration Detection
- Rule Type: ML
- Rule Type: Machine Learning
- Tactic: Exfiltration
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guideedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
-
Technique:
- Name: Exfiltration Over C2 Channel
- ID: T1041
- Reference URL: https://attack.mitre.org/techniques/T1041/