UEBA : Multiple Blocked File Transfers Followed by a File Transfer
The QRadar® User Entity Behavior Analytics (UEBA) app supports use cases based on rules for certain behavioral anomalies.
UEBA : Multiple Blocked File Transfers Followed by a File Transfer
Enabled by default
False
Default senseValue
10
Default senseValueSource
10
Default senseValueDestination
10
Description
Detects exfiltration by checking for file uploads that were initially blocked but were followed by a successful upload within a span of 5 minutes.
Support rules
- BB:UBA : Common Event Filters
- BB:UBA : Blocked File Transfer
- BB:UBA : Successful File Transfer
Required configuration
This rule requires both Blocked file transfers and Successful file transfers events to occur for an accurate detection. If the log source that is used does not have an eventID for both events, you might receive inaccurate results. See the Data sources to determine eventIDs for the log source in use.
Log source types (Blocked file transfers)
Cilasoft QJRN/400 (EventID: C21020)
Cisco Call Manager (EventID: %UC_DRF-3-DRFSftpFailure)
Cisco IOS (EventID: %UPDATE-3-SFTP_TRANSFER_FAIL)
Custom Rule Engine (EventID: 18014, 18071, 18187, 4032)
Extreme Stackable and Standalone Switches (EventID: FFTP request failed)
Flow Classification Engine (EventID: 4032, 18187, 18014, 18071)
Forcepoint Sidewinder (EventID: FTP Permits, denied ftp command)
IBM i (EventID: UNR0907, UNR0908, UNR2302, GSL0118, GSL0119, GSL0318, GSL0319, GSL3718, GSL3719, GSL0618,UNR0701, UNR0707, UNR0901, UNR0910, UNR2301, UNR0705, UNR0706, UNR0708, UNR0710, UNR0801, UNR0802, UNR0905, UNR0906, GSL0619)
Juniper Networks Intrusion Detection and Prevention (IDP) (EventID: TFTP:AUDIT:READ-FAILED)
Microsoft IIS (EventID: 530)
Microsoft Operations Manager (EventID: 22095)
OSSEC (EventID: 11504, 11512)
Universal DSM (EventID: FTP Action Denied, TFTP Session Denied,FTP Denied,FileTransfer Denied)
WatchGuard Fireware OS (EventID: 1CFF0002,1CFF0006,1CFF0007,1CFF0009, 1CFF0001,1CFF0019, 1CFF0000, 1CFF0003)
Log source types (Successful file transfers)
Cilasoft QJRN/400 (EventID: C21031)
Cisco FireSIGHT Management Center (EventID: FILE_EVENT, FILE_EVENT_0)
Cisco IOS (EventID: %FTPSERVER-6-NEWCONN)
Cisco IronPort (EventID: FTP_connection)
Custom Rule Engine (EventID: 18010, 4031,18431, 18183)
DG Technology MEAS (EventID: 119-003, 119-070)
Flow Classification Engine (EventID: 18010, 4031,18431, 18183)
Flow Device Type (EventID: 21984, 21879, 51337, 51336, 35159, 21910)
Huawei S Series Switch (EventID: FTPS/5/REQUEST)
IBM Proventia Network Intrusion Prevention System (IPS) (EventID: FTP, TFTP)
IBM i (EventID: MLD1200, MLD2100, MO10300,MO10400, MO11800, MO12100, MO12400, MO20200, MO20300. MO21300, MO21800, MO21900, GSL0101, GSL0102, GSL0301, GSL0302, GSL3701,GSL3702, M090100, UNA0705, UNA0706, UNA0708, UNA0710, UNA0801, UNA0802, UNA0905, UNA0906, UNA0907,UNA0908, UNA2302,UNA0601, UNA0604, UNA0605, UNA0607, UNA0701, UNA0707, UNA0901, UNA0902, UNA0910, UNA2301, M030100, MLD1100)
Juniper MX Series Ethernet Services Router (EventID: TFTP, FTP)
Juniper Networks AVT (EventID: TFTP, FTP)
Microsoft IIS (EventID: 150, 125, 225)
ProFTPD Server (EventID: FTP session opened)
Solaris Operating System Authentication Messages (EventID: ftp connection)
SonicWALL SonicOS (EventID: 1112, 1113)
Squid Web Proxy (EventID: 3C0002_ALLOWED)
Trend InterScan VirusWall (EventID: Trend ftpconnect)
Universal DSM (EventID: File Transfer, FTP Opened, FTP Action Allowed, TFTP Session Opened)
Verdasys Digital Guardian (EventID: Network Transfer Upload, Network Transfer Download)
WatchGuard Fireware OS (EventID: 2AFF0004, 1CFF0019)