Data exfiltration detection 7.2.2
The aggregation expression SUM has been introduced to calculate log field values within a certain period. Event handlers can use the SUM expression to trigger events/notifications when the content of log fields reach a certain threshold.
This new feature is used to detect data exfiltration attempts.
The Aggregation Expression can be set to SUM when configuring rules for both event handlers and correlation handlers. For more information about correlation handlers, see Rule based event correlation 7.2.2.
The SUM aggregation expression is only supported in Fabric ADOMs. |
To use the SUM aggregation expression in an event handler:
- Go to FortiSoC > Handlers > Event Handler List, and click Create New.
- Click Add New Rule.
You can also edit or clone an event handler to edit an existing rule.
- From the Aggregation Expression dropdown, select SUM.
- Enter the following for the Aggregation Expression:
Option
Description
Aggregation field Select an aggregation field from the dropdown.
The available options depend on the Log Device Type and Log Type selected for the rule.
Threshold Enter the threshold value required to satisfy the rule.
When the data from multiple logs reaches this sum threshold, the rule condition will be satisfied.
Multiplier
For some aggregation fields, you can select a multiplier for the threshold value.
For example, when sentbyte is selected as the aggregation field, you can select one of the following multipliers:
- null (bytes)
- Kilo Byte
- Mega Byte
- Giga Byte
- Terra Byte
- In the Aggregation Duration field, enter the number of minutes the logs have to reach this sum in order to satisfy the rule.
- Configure the remaining options for the rule and the event handler, as needed.
Example:
Below is an event handler configured to generate an alert when a total of 100MB of data is sent from an endpoint within 30 minutes:
- Aggregation Expression = SUM
Aggregation field sentbyte
Threshold 100
Multiplier
Mega Byte
- Aggregation Duration = 30
Events triggered by this event handler appear in FortiSoC > Event Monitor > All Events. For example, see the image below.