场景概述
内部人员或攻击者将敏感数据传输到外部。
QRadar 检测方案
1. 大流量外发检测
SELECT sourceip, destinationip,
SUM(sourcebytes) as upload_bytes,
COUNT(*) as connections
FROM flows
WHERE destinationip NOT IN REFERENCESET('Internal_Networks')
GROUP BY sourceip, destinationip
HAVING upload_bytes > 1073741824 -- > 1GB
ORDER BY upload_bytes DESC
LAST 24 HOURS2. 异常时间访问检测
SELECT username, sourceip,
QIDNAME(qid),
COUNT(*) as access_count
FROM events
WHERE starttime.HOUR NOT BETWEEN 8 AND 18
AND CATEGORYNAME(category) = 'Access'
GROUP BY username, sourceip, QIDNAME(qid)
HAVING access_count > 50
ORDER BY access_count DESC
LAST 7 DAYS