Data exfiltration detection 7.2.2

Copy Link

Copy Doc ID 7d55ae6f-8e83-11ec-9fd1-fa163e15d75b:791652

Download PDF

Data exfiltration detection 7.2.2

The aggregation expression SUM has been introduced to calculate log field values within a certain period. Event handlers can use the SUM expression to trigger events/notifications when the content of log fields reach a certain threshold.

This new feature is used to detect data exfiltration attempts.

The Aggregation Expression can be set to SUM when configuring rules for both event handlers and correlation handlers. For more information about correlation handlers, see Rule based event correlation 7.2.2.

The SUM aggregation expression is only supported in Fabric ADOMs.

To use the SUM aggregation expression in an event handler:

Go to FortiSoC > Handlers > Event Handler List, and click Create New.
Click Add New Rule.
You can also edit or clone an event handler to edit an existing rule.
From the Aggregation Expression dropdown, select SUM.

Enter the following for the Aggregation Expression:

Option	Description
Aggregation field	Select an aggregation field from the dropdown. The available options depend on the Log Device Type and Log Type selected for the rule.
Threshold	Enter the threshold value required to satisfy the rule. When the data from multiple logs reaches this sum threshold, the rule condition will be satisfied.
Multiplier	For some aggregation fields, you can select a multiplier for the threshold value. For example, when sentbyte is selected as the aggregation field, you can select one of the following multipliers: null (bytes) Kilo Byte Mega Byte Giga Byte Terra Byte

Option

Description

Aggregation field

Select an aggregation field from the dropdown.

The available options depend on the Log Device Type and Log Type selected for the rule.

Threshold

Enter the threshold value required to satisfy the rule.

When the data from multiple logs reaches this sum threshold, the rule condition will be satisfied.

Multiplier

For some aggregation fields, you can select a multiplier for the threshold value.

For example, when sentbyte is selected as the aggregation field, you can select one of the following multipliers:

null (bytes)
Kilo Byte
Mega Byte
Giga Byte
Terra Byte

In the Aggregation Duration field, enter the number of minutes the logs have to reach this sum in order to satisfy the rule.
Configure the remaining options for the rule and the event handler, as needed.

Example:

Below is an event handler configured to generate an alert when a total of 100MB of data is sent from an endpoint within 30 minutes:

Aggregation Expression = SUM
Aggregation field
sentbyte
Threshold
100
Multiplier
Mega Byte
Aggregation Duration = 30

Events triggered by this event handler appear in FortiSoC > Event Monitor > All Events. For example, see the image below.

Data exfiltration detection 7.2.2

This new feature is used to detect data exfiltration attempts.

The SUM aggregation expression is only supported in Fabric ADOMs.

To use the SUM aggregation expression in an event handler:

Go to FortiSoC > Handlers > Event Handler List, and click Create New.

Click Add New Rule.

You can also edit or clone an event handler to edit an existing rule.

From the Aggregation Expression dropdown, select SUM.

Enter the following for the Aggregation Expression:

Option	Description
Aggregation field	Select an aggregation field from the dropdown. The available options depend on the Log Device Type and Log Type selected for the rule.
Threshold	Enter the threshold value required to satisfy the rule. When the data from multiple logs reaches this sum threshold, the rule condition will be satisfied.
Multiplier	For some aggregation fields, you can select a multiplier for the threshold value. For example, when sentbyte is selected as the aggregation field, you can select one of the following multipliers: null (bytes) Kilo Byte Mega Byte Giga Byte Terra Byte

Option

Description

Aggregation field

Select an aggregation field from the dropdown.

The available options depend on the Log Device Type and Log Type selected for the rule.

Threshold

Enter the threshold value required to satisfy the rule.

When the data from multiple logs reaches this sum threshold, the rule condition will be satisfied.

Multiplier

For some aggregation fields, you can select a multiplier for the threshold value.

For example, when sentbyte is selected as the aggregation field, you can select one of the following multipliers:

null (bytes)
Kilo Byte
Mega Byte
Giga Byte
Terra Byte

In the Aggregation Duration field, enter the number of minutes the logs have to reach this sum in order to satisfy the rule.

Configure the remaining options for the rule and the event handler, as needed.

Example:

Below is an event handler configured to generate an alert when a total of 100MB of data is sent from an endpoint within 30 minutes:

Aggregation Expression = SUM

Aggregation field	sentbyte
Threshold	100
Multiplier	Mega Byte

Aggregation Duration = 30

Events triggered by this event handler appear in FortiSoC > Event Monitor > All Events. For example, see the image below.

New Features

Data exfiltration detection 7.2.2

Data exfiltration detection 7.2.2

To use the SUM aggregation expression in an event handler:

Example:

Data exfiltration detection 7.2.2

To use the SUM aggregation expression in an event handler:

Example: