Elastic Security Detection Rules

Spike in Bytes Sent to an External Device

Last updated 6 months ago on 2025-01-15
Created 2 years ago on 2023-09-22

About

A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.
Tags
Use Case: Data Exfiltration DetectionRule Type: MLRule Type: Machine LearningTactic: Exfiltration
Severity
low
Risk Score
21
MITRE ATT&CK™

Exfiltration (TA0010)(opens in a new tab or window)

Exfiltration Over Physical Medium (T1052)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Machine Learning
Integration Pack
Prebuilt Security Detection Rules
Related Integrations

ded(opens in a new tab or window)

endpoint(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Spike in Bytes Sent to an External Device in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).