Starting from FortiAnalyzer version 7.2.0, a Data Exfiltration detection feature has been added. It can be configured as a Basic Handler or Correlation Handler using the aggregation expression SUM.

An aggregation field can be used for log fields such as duration, sentbyte, rcvdbyte, sentpkt, and rcvpkt.

The following example shows a Basic Event Handler that will trigger an Alert when a minimum threshold of sentbytes is met during a specific duration. 

• Event Handler Configuration Rule:

• Event Handler hit:

• Event Monitor:

Note: The Aggregation expression SUM will work only if  :

• ADOM type is Fabric.
• And the SIEM Module is enabled.

If the SIEM Module is enabled can be verified via the:

config system global

(global)# set disable-module
fortiview-noc FortiView/NOC-SOC module.
siem SIEM module.
soc SOC module.
ot-view OT-VIEW module.
none No modules disabled.

The SIEM Module should not be listed as a 'disable-module'.

Related documents:

Creating a custom event handler 

Technical Tip: FortiAnalyzer Event Handler for data exfiltration detection

Troubleshooting Tip: How to troubleshoot for event handler related issues

Technical Tip: Event handler triggered on sent or received bytes from specific IP address