Large Web Upload

Description

Uses a basic threshold to detect a large web upload, which could be exfiltration from malware or a malicious insider.


Use Case

Security Monitoring, Insider Threat

Category

Data Exfiltration

Security Impact

Data Exfiltration usually occurs over standard channels these days, with insiders uploading data to Google, Dropbox, Box, smaller file sharing sites, or even unlisted drop sites. Because HTTPS is always allowed out, exfiltration becomes relatively easy in most organizations. Detect those big transfers!

Alert Volume

Medium (?)

SPL Difficulty

Basic

Journey

Stage 1

MITRE ATT&CK Tactics

Exfiltration

MITRE ATT&CK Techniques

Exfiltration Over Command and Control Channel
Exfiltration Over Alternative Protocol

MITRE Threat Groups

APT3
APT32
APT33
FIN8
Gamaredon Group
Ke3chang
Kimsuky
Lazarus Group
OilRig
Soft Cell
Stealth Falcon
Thrip
Turla

Data Sources

Web Proxy

   How to Implement

This search should work immediately for any Palo Alto Networks environment, and can be easily adapted to apply to any other source of proxy visibility (dedicated proxies, along with network visibility tools such as Splunk Stream or bro). Just adjust the sourcetype and fields to match, and you will be good to go.

   Known False Positives

By definition, this search is very simple and will fire for many innocent occurrences (uploading vacation photos, etc.). Many organizations will try to filter this down by focusing on users who are on a watchlist either because they have access to sensitive data (execs, scientists, etc.) or because of employment reasons (performance plan, notice given, contract ending, etc.). These watchlists can be implemented by using lookups.

   How To Respond

When this fires, it will usually do so for perfectly legitimate reasons (uploading vacation photos, etc.). When this fires, many analysts will look where the data was sent to, whether the user has uploaded data to that site before. Often analysts will call the user to confirm the activity, preferably with the knowledge of that employee's status in the organization (e.g., are they on a performance plan or reaching the end of a contract, where they would be at greater risk of data exfiltration). If you have SSL Inspection turned on via your NGFW or DLP for that site, you can sometimes see the actual files that were transferred, which can help provide context.

   Help

Large Web Upload Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Palo Alto Networks proxy logs (onboarded in accordance with our Data Onboarding Guides), during which someone does something bad. Our live search looks for the same behavior using the standardized sourcetypes for Palo Alto Networks or the Common Information Model.

SPL for Large Web Upload

Demo Data

First we bring in our basic demo dataset, proxy logs. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Then we just filter for any events that are larger than about 35 MB.

Live Data

First we bring in our basic dataset, proxy logs, over the last 10 minutes.
Then we just filter for any events that are larger than about 35 MB.
Finally we put things in a nice table so that it's easy to read.

Accelerated Data

This uses tstats to quickly search an accelerated Web Proxy data model for any requests that are larger than 35 MB, and provides a useful table with the results.

Screenshot of Demo Data