Time series anomaly for data size transferred to public internet

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

'Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern. A sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated. The higher the score, the further it is from the baseline value. The output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	f2dd4a3a-ebac-4994-9499-1a859938c947
Severity	Medium
Kind	Scheduled
Tactics	Exfiltration
Techniques	T1030
Required Connectors	CiscoASA, PaloAltoNetworks, AzureMonitor(VMInsights)
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
Anomalies	✓	✓	?
CommonSecurityLog	✓	✓	?
VMConnection	?	✗	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
CefAma	Common Event Format
CloudNSSAuditLogs_ccp	Zscaler Internet Access
CloudNSSCASBActivityLogs_ccp	Zscaler Internet Access
CloudNSSCASBCRMLogs_ccp	Zscaler Internet Access
CloudNSSCASBCloudStorageLogs_ccp	Zscaler Internet Access
CloudNSSCASBCollabLogs_ccp	Zscaler Internet Access
CloudNSSCASBEmailLogs_ccp	Zscaler Internet Access
CloudNSSCASBFileSharingLogs_ccp	Zscaler Internet Access
CloudNSSCASBITSMLogs_ccp	Zscaler Internet Access
CloudNSSCASBRepoLogs_ccp	Zscaler Internet Access
CloudNSSDNSLogs_ccp	Zscaler Internet Access
CloudNSSEmailDLPLogs_ccp	Zscaler Internet Access
CloudNSSEndpointDLPLogs_ccp	Zscaler Internet Access
CloudNSSFWLogs_ccp	Zscaler Internet Access
CloudNSSTunnelLogs_ccp	Zscaler Internet Access
CloudNSSWebLogs_ccp	Zscaler Internet Access
VirtualMetricDirectorProxy	VirtualMetric DataStream
VirtualMetricMSSentinelConnector	VirtualMetric DataStream
VirtualMetricMSSentinelDataLakeConnector	VirtualMetric DataStream

Solutions: Common Event Format, VirtualMetric DataStream, Zscaler Internet Access

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules