Managed Sentinel – Alert 042

Alert IDMS-A042
Alert NameExcessive outbound traffic (data transferred out from internal network)
DescriptionThis alert triggers when outbound data sent is more than the normal baseline (outlier). The higher the score, the further it is from the baseline value.
Severity LevelMedium
Threat IndicatorImproper Usage
MITRE ATT&CK TacticsExecution
Defense Evasion
Exfiltration
Log sourcesFirewall
False PositiveOffsite backup processes.
Office 365 Sharepoint, OneDrive
Any sanctioned SaaS Cloud applications
Recommendations1. Identify the internal host(s) and user generating the large volume of data transfer.
2. Identify the application transport used for data transfer.
3. Review traffic logs in the perimeter firewall and understand the type and volume of data transferred outbound.
4. Review any local logs or evidences to determine the files/directories moved outside.
5. if a DLP solution is used, check logs to validate if any data violates the organization policies.
If any privacy regulations applies to your organization, engage your Privacy and Compliance office for an internal investigation to find if any sensitive files were sent out of the company network.