Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Security Essentials : Data Exfiltration

mahe90
Explorer
‎11-20-2018 04:10 AM

Hi,

SSE use case maps to the MITRE ATT&CK tactics. As we can see from MITRE ATT&CK, each tactic has various techniques. For "Data Exfiltration" , the techniques are "Data Transfer Size Limits" , "Exfil over Alternate Protocol" etc.

For example: In SSE, the example "Sources Sending a High Volume of DNS Traffic" mapped to MITRE ATT&CK's DataExfiltration. Splunk reports outliers. How do I know which technique splunk used to determine the outlier? Or Splunk doesn't use any of these techniques , it just uses the total bytes transferred and looking for anomalies and deviations from normal traffic levels.?

Thanks,
Mahesh

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...