FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
RMarqeshi
Staff
Staff
Article Id 354279
Description This article describes the FortiAnalyzer Event Handler to detect Data Exfiltration.
Scope FortiAnalyzer 7.2.0 and above.
Solution

Starting from FortiAnalyzer version 7.2.0, a Data Exfiltration detection feature has been added. It can be configured as a Basic Handler or Correlation Handler using the aggregation expression SUM.

 

An aggregation field can be used for log fields such as duration, sentbyte, rcvdbyte, sentpkt and rcvpkt.

 

The following example shows a Basic Event Handler that will trigger an Alert when a minimum threshold of sentbytes is met during a specific duration. 

 

  • Event Handler Configuration Rule:


KB-DataExfiltartion-1.png

 

  • Event Handler hit:

 

KB-DE-2.png

 

  • Event Monitor:

 

KB-DE-EventMonitor.png

 

Note: Aggregation expression SUM will work only if  :

  • ADOM type is Fabric.
  • And SIEM Module is enabled.

 

If the SIEM Module is enabled can be verified via the:

 

config system global

(global)# set disable-module
fortiview-noc FortiView/NOC-SOC module.
siem SIEM module.
soc SOC module.
ot-view OT-VIEW module.
none No modules disabled.

 

SIEM Module should not be listed as a disable-module.