Technical preview
This functionality may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but technical preview features are not subject to the support service level agreement of official generally available features.
What is an Elastic integration?

This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.

Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.

The DED model package contains the data exfiltration detection model and the associated assets. This package requires a Platinum subscription. Please ensure that you have a Trial or Platinum level subscription installed on your cluster before proceeding. This package is licensed under Elastic License v 1.0.

Configuration

To download the assets, click Settings > Install DED assets.

Then use these detection rules and anomaly detection jobs for data exfiltration detection.

Add preconfigured anomaly detection jobs

In Machine Learning > Anomaly Detection, when you create a job, you should see an option to Use preconfigured jobs with a card for Data Exfiltration Detection (DED). When you select the card, you will see a pre-configured anomaly detection job that you can enable depending on what makes the most sense for your environment.

(Optional) Enable Security rules

In order to maximize the benefit of the DED detection framework, you might consider activating detection rules that are triggered when certain conditions for the anomaly detection jobs are satisfied. See the documentation for more information on importing and enabling the rules.

ML Modules

DED

Detect data exfiltration activity in your network data.

JobDescription
high-sent-bytes-destination-geo-city_name
A machine learning job to detect data exfiltration to an unusual geo-location (by city name)
high-sent-bytes-destination-geo-continent_name
A machine learning job to detect data exfiltration to an unusual geo-location (by continent name)
high-sent-bytes-destination-geo-country_iso_code
A machine learning job to detect data exfiltration to an unusual geo-location (by country iso code)
high-sent-bytes-destination-geo-country_name
A machine learning job to detect data exfiltration to an unusual geo-location (by country name)
high-sent-bytes-destination-ip
A machine learning job to detect data exfiltration to an unusual geo-location (by IP address)
high-sent-bytes-destination-port
A machine learning job to detect data exfiltration to an unusual destination port
high-sent-bytes-destination-region_name
A machine learning job to detect data exfiltration to an unusual geo-location (by region name)
high-sent-bytes-destination-timezone
A machine learning job to detect data exfiltration to an unusual geo-location (by timezone)

Security Detection Rules

RuleDescription
Potential Data Exfiltration Activity to an Unusual City
An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual city.
Potential Data Exfiltration Activity to an Unusual Country
An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual country.
Potential Data Exfiltration Activity to an Unusual ISO Code
An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual country by its iso code.
Potential Data Exfiltration Activity to an Unusual Region
An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual region name.
Potential Data Exfiltration Activity to an Unusual Continent
An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual continent.
Potential Data Exfiltration Activity to an Unusual Timezone
An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual timezone.
Potential Data Exfiltration Activity to an Unusual IP Address
An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual IP address.
Potential Data Exfiltration Activity to an Unusual Destination Port
An anomaly detection job has detected an abnormal volume of bytes being sent to an unusual destination port.

Licensing

Usage in production requires that you have a license key that permits use of machine learning features.

Changelog

VersionDetails
0.0.1
Enhancement View pull request
Initial release of the package