Managed Sentinel – Alert 042

Alert IDMS-A042
Alert NameExcessive outbound traffic (data transferred out from internal network)
DescriptionThis alert triggers when outbound data sent is more than the normal baseline (outlier).
Severity LevelMedium
Threat IndicatorImproper Usage
MITRE ATT&CK TacticsExecution
Defense Evasion
Exfiltration
Log sourcesFirewall
False PositiveOffsite backup processes.
Office 365 Sharepoint, OneDrive
Any sanctioned SaaS Cloud applications
RecommendationsIdentify the internal host(s) and user generating the large volume of data transfer. Identify the application transport used for data transfer.
If any privacy regulations applies to your organization, engage your Privacy and Compliance office for an internal investigation to find if any sensitive files were sent out of the company network.