Detects excessive outbound traffic to remote host over HTTP(S) from uncommon or previously unseen processes.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | NSM:Flow | HTTP |
| Field | Description |
|---|---|
| OutboundByteThreshold | Defines threshold ratio of outbound to inbound bytes that signals possible obfuscation |
| ProcessAllowlist | List of known legitimate network clients to exclude from anomaly checks |
Identifies custom or previously unseen userland processes initiating high-volume HTTP connections with low response volume.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | auditd:SYSCALL | connect |
| Field | Description |
|---|---|
| UserProcessBaseline | Defines what is considered abnormal for a user-initiated process context |
Flags unexpected user applications initiating long-lived HTTP(S) sessions with irregular traffic patterns.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | macos:unifiedlog | network flow |
| Process Creation (DC0032) | macos:unifiedlog | process |
| Field | Description |
|---|---|
| SessionDuration | Session length that exceeds average per-user expectations |