Unusual amount of outbound traffic (Data leak)

Goal

Looks for an unusually large spike in network traffic.

Description

Looks for an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.

Characteristics

Name

Hi count outbound traffic

Type

Network

Data source

Firewall

Required fields

sourceAddress

destinationAddress

destinationAddress.GeoIP.country_name (optional)

PreviousHigh count network denies (outbound traffic)NextMany logins OK from same IP

Last updated 3 months ago