Potential Data Exfiltration Activity to an Unusual IP Address | Elastic Security Solution [8.10]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

« Potential Data Exfiltration Activity to an Unusual ISO Code Potential Data Exfiltration Activity to an Unusual Destination Port »

Potential Data Exfiltration Activity to an Unusual IP Addressedit

A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-6h (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Use Case: Data Exfiltration Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Exfiltration

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guideedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
Technique:
- Name: Exfiltration Over C2 Channel
- ID: T1041
- Reference URL: https://attack.mitre.org/techniques/T1041/

« Potential Data Exfiltration Activity to an Unusual ISO Code Potential Data Exfiltration Activity to an Unusual Destination Port »