Description | This article describes the FortiAnalyzer Event Handler to detect Data Exfiltration. |
Scope | FortiAnalyzer 7.2.0 and above. |
Solution |
Starting from FortiAnalyzer version 7.2.0, a Data Exfiltration detection feature has been added. It can be configured as a Basic Handler or Correlation Handler using the aggregation expression SUM.
An aggregation field can be used for log fields such as duration, sentbyte, rcvdbyte, sentpkt and rcvpkt.
The following example shows a Basic Event Handler that will trigger an Alert when a minimum threshold of sentbytes is met during a specific duration.
Note: Aggregation expression SUM will work only if :
If the SIEM Module is enabled can be verified via the:
config system global (global)# set disable-module
SIEM Module should not be listed as a disable-module. |