IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Potential Reverse Shell via Child Potential Data Exfiltration Activity to an Unusual IP Address »

› ›

Potential Data Exfiltration Activity to an Unusual ISO Code

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Potential Data Exfiltration Activity to an Unusual ISO Code

edit

A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-6h (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Use Case: Data Exfiltration Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Exfiltration

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
Technique:
- Name: Exfiltration Over C2 Channel
- ID: T1041
- Reference URL: https://attack.mitre.org/techniques/T1041/

« Potential Reverse Shell via Child Potential Data Exfiltration Activity to an Unusual IP Address »