Data Exfiltration
Use the IBM® QRadar® Data Exfiltration Content Extension to closely monitor for data exfiltration activities in your deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled,
download the most recent version of the associated DSMs from IBM Fix Central
(https://www.ibm.com/support/fixcentral).
About the Data Exfiltration extension
The QRadar Content Extension pack for Data Exfiltration adds several rules and saved searches that focus on detecting data exfiltration activities.
Examples of data exfiltration activities are:
- Large outbound data transfer to a known malicious IP or to an online file storage service.
- Slow and stealthy outbound data transfer over several days or months.
- Data leakage or data loss in the cloud. For example, if a confidential file is uploaded to a publicly accessible folder or bucket, or if a confidential file's permissions are changed to be world readable or accessible.
- Sharing confidential files. For example, if confidential files are shared with a malicious host, guest user, or with a user from outside the organization.
IBM Security QRadar Data Exfiltration Content Extensions
- IBM Security QRadar Data Exfiltration Content Extension 1.0.5
- IBM Security QRadar Data Exfiltration Content Extension 1.0.4
- IBM Security QRadar Data Exfiltration Content Extension 1.0.3
- IBM Security QRadar Data Exfiltration Content Extension 1.0.2
- IBM Security QRadar Data Exfiltration Content Extension 1.0.1
- IBM Security QRadar Data Exfiltration Content Extension 1.0.0
IBM Security QRadar Data Exfiltration Content Extension 1.0.5
This version of IBM Security QRadar Data Exfiltration Content Extension includes a fix for error that caused the Exfiltration rule group to have its name and description listed as null when called from the API.
The following table shows the custom event properties that are new or updated in IBM Security QRadar Data Exfiltration Content Extension 1.0.5.
Note: The custom properties that are included in the following table are placeholders. You can
download other content extensions that include custom properties with these names, or you can create
your own.
| Custom Property | Optimized | Found in |
|---|---|---|
| File Directory | Yes | |
| Recipient Host | Yes | |
| Recipient_User | Yes | |
| UrlHost | Yes | |
| Web Category | Yes |
The following table shows the rules that are new or updated in IBM Security QRadar Data Exfiltration 1.0.5.
| Name | Description |
|---|---|
| Excessive File Access Events From the Same Source IP | Changed excluded IP address range from 192.168.2.0/24 to 192.0.2.0/24. |
| Excessive File Access Events From the Same Username | Changed excluded IP address range from 192.168.2.0/24 to 192.0.2.0/24. |
| Excessive file download events from the same username | Changed excluded IP address range from 192.168.2.0/24 to 192.0.2.0/24. |
| Excessive File Downloads Events From the Same Source IP | Changed excluded IP address range from 192.168.2.0/24 to 192.0.2.0/24. |
IBM Security QRadar Data Exfiltration Content Extension 1.0.4
The following table shows the rules and building blocks that are new or updated in IBM Security QRadar Data Exfiltration 1.0.4.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:BehaviorDefinition: Potentially Hostile Recipient Host | Added filter to improve performance. |
| Building Block | BB:CategoryDefinition: Communication with Potential Hostile Destination IPs | Added a flow direction filter to improve performance. |
| Building Block | BB:CategoryDefinition: Communication with Potential Hostile Recipient Hosts | Removed this building block. |
| Building Block | BB:BehaviorDefinition: External Recipient Host | Fixed the reference set ID link on this building block. |
| Rule | Excessive File Access Events From the Same Source IP | Added same location (log source) to rule logic. |
| Rule | Excessive File Access Events From the Same Username | Added same location (log source) to rule logic. |
| Rule | Excessive File Downloads Events From the Same Source IP | Added same location (log source) to rule logic. |
| Rule | Excessive File Downloads Events From the Same Username | Added same location (log source) to rule logic. |
| Rule | File Accessed or Downloaded From a Malicious IP | Changed response limiter to Destination IP. |
| Rule | Large Outbound Data Transfer | Removed due to a known defect that breaks import of threshold rules. |
| Rule | Large Outbound Data Transfer for Flows | Removed due to a known defect that breaks import of threshold rules. |
| Rule | Large Outbound Data Transfer to a File Storage Host | Removed due to a known defect that breaks import of threshold rules. |
| Rule | Large Outbound Data Transfer to a Malicious Host or IP | Removed due to a known defect that breaks import of threshold rules. |
| Rule | Large Outbound Data Transfer to a Malicious IP for Flows | Removed due to a known defect that breaks import of threshold rules. |
The following table shows the saved searches that are new or updated in IBM Security QRadar Data Exfiltration 1.0.4.
| Name | Description |
|---|---|
| Large Outbound Data Transfer | Removed the having clause from the AQL search. |
| Large Outbound Data Transfer - Anomaly Monitoring | Removed the having clause from the AQL search. |
| Large Outbound Data Transfer to a File Storage Host | Removed the having clause from the AQL search. |
| Large Outbound Data Transfer to Malicious Host or IP | Removed the having clause from the AQL search. |
| Large Outbound Data Transfer to Malicious IP | Removed the having clause from the AQL search. |
IBM Security QRadar Data Exfiltration Content Extension 1.0.3
Fixed errors in the Pulse dashboard which caused AQL queries to parse incorrectly.
The following table shows the building blocks are renamed in IBM Security QRadar Data Exfiltration Content Extension 1.0.3.
| Old Name | New Name |
|---|---|
| BB:BehaviorDefinition: External Email Addresses | BB:BehaviorDefinition: External Recipient Host |
| BB:BehaviorDefinition: Potentially Hostile Email Host | BB:BehaviorDefinition: Potentially Hostile Recipient Host |
IBM Security QRadar Data Exfiltration Content Extension 1.0.2
Updated the conditions for the following rules:
- Large Outbound Data Transfer
- Large Outbound Data Transfer for Flows
- Large Outbound Data Transfer to a File Storage Host
- Large Outbound Data Transfer to a Malicious Host or IP
- Large Outbound Data Transfer to a Malicious IP for Flows
IBM Security QRadar Data Exfiltration Content Extension 1.0.1
Updated the QNI : Confidential Content Being Transferred rule to include the records that triggered the rule in the offense.
IBM Security QRadar Data Exfiltration Content Extension 1.0.0
The following table shows the custom event properties in IBM Security QRadar Data Exfiltration Content Extension 1.0.0.
Note: The custom properties that are included in the following table are placeholders. You can
download other content extensions that include custom properties with these names, or you can create
your own.
| Custom Property | Optimized | Found in |
|---|---|---|
| BytesReceived | Yes | |
| BytesSent | Yes | |
| File Directory | Yes | |
| File Extension | Yes | |
| Filename | Yes | |
| MessageID | Yes | |
| Policy Name | Yes | |
| Public Permission | Yes | Amazon AWS |
| Recipient Host | Yes | |
| Recipient_User | Yes | |
| Storage Name | Yes | Amazon AWS |
| Target User Area | Yes | Microsoft Office 365 |
| URL | Yes | |
| UrlHost | Yes | |
| Web Category | Yes |
The following table shows the building blocks and rules in IBM Security QRadar Data Exfiltration Content Extension 1.0.0.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:BehaviorDefinition: External Email Addresses | This Building Block identifies recipient hosts that are not in the Corporate Email Domains
reference set. Note: The Corporate Email Domains reference set must be populated.
|
| Building Block | BB:BehaviorDefinition: Potentially Hostile Email Host | This Building Block identifies an email that is being sent to a malicious host. The host is malicious if the X-Force® categorization for it returns one of the following: Phishing URLs, Spam URLs, Malware, Botnet Command and Control Server, or Cryptocurrency Mining. |
| Building Block | BB:CategoryDefinition: Communication with Potential Hostile Destination IPs | This Building Block identifies communications to malicious IPs. The host is malicious if the X-Force categorization for it returns one of the following: Malware, Botnet Command and Control Server, Spam, Cryptocurrency Mining, Scanning IPs, Bots, or Phishing. |
| Building Block | BB:CategoryDefinition: Communication with Potential Hostile Recipient Hosts | This Building Block identifies communications to malicious hosts. The host is malicious if the X-Force categorization for it returns one of the following: Botnet Command and Control Server, Malware, Phishing URLs, Cryptocurrency Mining, or Spam URLs. |
| Building Block | BB:CategoryDefinition: Countries/Regions with Restricted Access | Edit this BB to include any geographic location that typically would not be allowed to access the enterprise. |
| Building Block | BB:CategoryDefinition: File Deleted Events | Edit this Building Block to include any file deletion event categories. |
| Building Block | BB:CategoryDefinition: Link Shared Events | Edit this Building Block to include link shared related event categories. |
| Building Block | BB:CategoryDefinition: Object Access Events | Edit this Building Block to include all object (file, folder, and so on) access-related event categories. |
| Building Block | BB:CategoryDefinition: Object Download Events | Edit this Building Block to include all object (file, folder, and so on) download-related event categories. |
| Building Block | BB:CategoryDefinition: Object Upload Events | Edit this Building Block to include all object (file, folder, and so on) upload related event categories. |
| Building Block | BB:DeviceDefinition: DLP Devices | This Building Block defines all data loss prevention (DLP) devices on the system. |
| Building Block | BB:DeviceDefinition: Mail | This Building Block defines all Mail devices on the system. |
| Building Block | BB:Exfiltration: Files in Sensitive Directories | Detects files that are in sensitive paths. Sensitive paths are defined in the Sensitive File
Paths reference set. Note: The Sensitive File Paths reference set must be populated.
|
| Rule | Database Backup or Compressed File Uploaded to a Publicly Accessible Folder | This rule triggers when a database backup or a compressed file is uploaded to a publicly
accessible folder or bucket. The Publicly Accessible Folders reference set must be populated with
the relevant folder names. Note: The Critical File Extensions reference set is pre-populated with
critical file extensions, and can be tuned.
|
| Rule | Email containing Sensitive File Sent to External Host | This rule triggers when an email that contains sensitive data is sent to an email address
that is outside of the organization. Note: The Sensitive File Directories reference set, must be
populated with the relevant folders name. The Corporate Email Domains reference set must be
populated with the organization's email domain.
|
| Rule | Email containing Sensitive File Sent to Potentially Hostile Host | This rule triggers when an email that contains a sensitive file is being sent to a host that
is known for hostile activities such as Phishing, Spam, Malware, Botnet Command and Control, or
Cryptocurrency Mining. The Files in Sensitive Directories reference set is populated by the Files in
Sensitive File Directories rule. Note: The Sensitive Directories reference set must be
populated.
|
| Rule | Excessive File Access Events From the Same Source IP | This rule triggers when at least 15 different files are accessed by the same source IP within
5 minutes. Note: Edit the AQL function to exclude known legitimate download activities such as OS
Updates or Software Updates.
|
| Rule | Excessive File Access Events From the Same Username | This rule triggers when at least 15 different files are accessed by the same user name within
5 minutes. Note: Edit the AQL function to exclude known legitimate download activities such as OS
Updates or Software Updates.
|
| Rule | Excessive File Downloads Events From the Same Source IP | This rule triggers when at least 10 different files are downloaded from the same source IP
within 5 minutes. Note: Edit the AQL function to exclude known legitimate download activities such
as OS Updates or Software Updates.
|
| Rule | Excessive File Downloads Events From the Same Username | This rule triggers when at least 15 different files are downloaded by the same user name
within 5 minutes. Note: Edit the AQL function to exclude known legitimate download activities such
as OS Updates or Software Updates.
|
| Rule | File Accessed or Downloaded From a Malicious IP | This rule triggers when a file is accessed or downloaded from a malicious IP such as known Command and Control Servers or Malware Servers. |
| Rule | File or Folder Shared With an Email Hosted on a Potentially Hostile Domain | This rule triggers when a file or folder is shared with an email that is associated with hostile domains such as Spam URLs, Phishing URLs, Malware, or Cryptocurrency Mining. |
| Rule | File or Folder Shared With an External Email Address | This rule triggers when a file or a folder is shared with non-corporate email address
domains. Note: The Corporate Email Domains reference set must be populated with the organization’s
email domain.
|
| Rule | Files Deleted from Sensitive File Directories | This rule detects when there is a file deletion event from a sensitive file directory and
then removes the file name from the Files in Sensitive Directories reference set as a Rule Response.
Note: In IBM
Security QRadar 7.3.2 and
earlier versions, the reference set does not link properly to Files in Sensitive Directories -
AlphaNumeric. This was corrected in 7.3.2 patch 1. If you do not have 7.3.2 patch 1 installed, you
can do the following: Select the rule, and click Next. Under Rule
Response, click the list for the reference set, and select Files in Sensitive
Directories - AlphaNumeric.
|
| Rule | Files in Sensitive File Directories | This rule detects when a new file is found in a sensitive file directory and then adds the file name to the Files in Sensitive Directories reference set as a Rule response. |
| Rule | Large Outbound Data Transfer | This anomaly rule triggers when more than 5 GB of data is transferred to an IP address within 4 days. |
| Rule | Large Outbound Data Transfer for Flows | This flow anomaly rule triggers when more than 1 GB of data is transferred within 24 hours to
a single IP address. For more information, see the Large Outbound Data Transfer Network Activity saved search. |
| Rule | Large Outbound Data Transfer to a File Storage Host | This event anomaly rule triggers when more than 1 GB of data is transferred to a URL
classified under the X-Force category Web Storage, within
24 hours. The rule is also configured to match on the proxy category populated in the Reference Set,
File Storage Web Categories. For more information, see the Large Outbound Data Transfer to a File Storage Host Log Activity saved search. |
| Rule | Large Outbound Data Transfer to a Malicious Host or IP | This event anomaly rule triggers when more than 1 GB of data is transferred within 24 hours
to an IP address or URL that is classified under one of the following X-Force categories: Malware, Botnet Command and Control Server, Spam,
Cryptocurrency Mining, Scanning IPs (only on IP addresses), Phishing, or Bots (only on IP
addresses). The rule is also configured to match on the proxy category populated in the Reference
Set, Malicious Web Categories. For more information, see the Large Outbound Data Transfer to Malicious Host or IP Log Activity saved search. |
| Rule | Large Outbound Data Transfer to a Malicious IP for Flows | This flow anomaly rule triggers when more than 1 GB of data is transferred within 24 hours to
an IP address that is classified under one of the following X-Force categories: Malware, Botnet Command and Control Server, Spam, Cryptocurrency Mining,
Scanning IPs, Phishing, or Bots. For more information, see the Large Outbound Data Transfer to Malicious IP Network Activity saved search. |
| Rule | QNI : Confidential Content Being Transferred | This rule detects confidential content that is being transferred to a remote destination. Suspect content can be tuned with YARA rules. For more information, see the QNI documentation. |
| Rule | Sensitive File Accessed or Downloaded From Regions or Countries with Restricted Access | This rule triggers when a confidential file is accessed or downloaded from a region or country with restricted access. These regions are defined in the BB:CategoryDefinition: Countries/Regions with Restricted Access building block. |
| Rule | Sensitive File Permissions Allow Public Access | This rule triggers when the permissions for a sensitive file are publicly accessible. The
Files in Sensitive Directories reference set is populated by the Files in Sensitive File Directories
rule. Note: The Sensitive Directories reference set must be populated.
|
| Rule | Sensitive File Shared with a Guest User or Group | This rule triggers when a sensitive file is shared with a guest user or group. The Files in
Sensitive Directories reference set is populated by the Files in Sensitive File Directories rule,
which uses the Sensitive Directories reference set. Note: The Sensitive Directories and Guest Login
Users reference sets must be populated.
|
| Rule | Sensitive File Uploaded to a Publicly Accessible Folder | This rule triggers when a sensitive file is uploaded to a publicly accessible folder or bucket. |
| Rule | Suspicious Activity on Confidential Data Detected by DLP Devices | This rule triggers when suspicious activity on confidential data is detected from a DLP
Device. The DLP devices are defined in the BB:DeviceDefinition: DLP Devices building block.
Note: The DLP Policies reference set must be populated.
|
The following table shows the reference data in IBM Security QRadar Data Exfiltration Content Extension 1.0.0.
| Type | Name | Description |
|---|---|---|
| Reference Set | Confidential/Sensitive File Names | Contains a list of confidential or sensitive file names. |
| Reference Set | Corporate Email Domains | Contains a list of corporate email domains. |
| Reference Set | Critical File Extensions | Contains a list of critical file extensions. |
| Reference Set | DLP Policies | Contains a list of DLP policies. |
| Reference Set | File Storage Web Categories | Contains a list of file storage web categories. |
| Reference Set | Files in Sensitive Directories | Contains a list of file names in sensitive directories. |
| Reference Set | Guest Login Users | Contains a list of guest login user names. |
| Reference Set | Legitimate Data Transfer Destination IPs | Contains a list of legitimate data transfer destination IPs. |
| Reference Set | Malicious Web Categories | Contains a list of malicious web categories. |
| Reference Set | Publicly Accessible Folders | Contains a list of names of publicly accessible folders. |
| Reference Set | Sensitive File Directories | Contains a list of sensitive file directories. |
The following table shows the saved searches in IBM Security QRadar Data Exfiltration Content Extension 1.0.0.
| Name | Description |
|---|---|
| Large Outbound Data Transfer | Shows all events with large outbound data transfer (greater than 1 GB) to remote hosts. |
| Large Outbound Data Transfer to a File Storage Host | Shows all events with large outbound data transfer (greater than 1 GB) to file storage hosts. |
| Large Outbound Data Transfer to Malicious Host or IP | Shows all events with large outbound data transfer (greater than 1GB) to malicious host or IP. |
| Slow Outbound Data Transfer Over Multiple Days | Shows all events with large outbound data transfer (greater than 1 GB) to remote hosts over multiple days. |
| Slow Outbound Data Transfer Over Multiple Days Grouped By Source IP and Username | Shows all events with large outbound data transfer (greater than 1 GB) to remote hosts over multiple days grouped by source IP and user name. |
| Slow Outbound Data Transfer Over Multiple Months | Shows all events with large outbound data transfer (greater than 1 GB) to remote hosts over multiple months. |
| Large Outbound Data Transfer | Shows all flows with large outbound data transfer (greater than 1 GB) to remote IPs. |
| Large Outbound Data Transfer to a Malicious IP | Shows all flows with large outbound data transfer (greater than 1 GB) to malicious IP. |
| Slow Outbound Data Transfer Over Multiple Days | Shows all flows with large outbound data transfer (greater than 1 GB) to remote IPs over multiple days. |
| Slow Outbound Data Transfer Over Multiple Days Grouped By Source IP | Shows all flows with large outbound data transfer (greater than 1 GB) to remote IPs over multiple months grouped by source IP. |
| Slow Outbound Data Transfer Over Multiple Months | Shows all flows with large outbound data transfer (greater than 1 GB) to remote IPs over multiple months. |