Detects unusual outbound file transfer behavior using protocols like FTP, SMB, SMTP, or DNS, involving non-standard processes, off-hour activity, or uncommonly high volume.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Field | Description |
|---|---|
| DataVolumeThresholdMB | Set threshold for outbound volume (e.g., >50MB in a single connection). |
| ProtocolAllowList | Allow-listed protocols in use for specific machines or users (e.g., FTP allowed for backups). |
| TimeWindow | Define allowed time-of-day windows (e.g., flag after-hours file transfer). |
| ParentProcessAnomaly | Identify anomalous parent-child process relationships (e.g., `winword.exe` spawning `ftp.exe`). |
Detects file exfiltration using tools like curl, scp, or custom binaries over protocols such as FTP, HTTP/S, or DNS tunneling, especially outside baseline user behavior.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Connection Creation (DC0082) | auditd:SYSCALL | connect |
| File Access (DC0055) | auditd:SYSCALL | open |
| File Modification (DC0061) | auditd:SYSCALL | write |
| Network Traffic Flow (DC0078) | NSM:Flow | NetFlow/Zeek conn.log |
| Field | Description |
|---|---|
| ProtocolType | Flag unexpected protocols (e.g., HTTP on port 53 or FTP traffic from non-standard tools). |
| UserContext | Scope for privilege escalation or service account behavior. |
| FileExtensionSensitivity | Track movement of file types of interest (e.g., `.csv`, `.sql`, `.key`). |
Detects non-native file transfer via curl, Python scripts, or AppleScript using uncommon protocols like FTP, SMTP, or DNS exfiltration through mDNSResponder abuse.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | macos:unifiedlog | log stream (subsystem: com.apple.system.networking) |
| Process Creation (DC0032) | macos:osquery | process_events |
| File Creation (DC0039) | macos:osquery | file_events |
| Field | Description |
|---|---|
| ProtocolUnusualnessScore | Weight rarely-used protocols in user space. |
| ExecutableBaselining | Track which binaries usually call curl/nc and alert on deviation. |
Detects access to cloud APIs or CLI tools to move or sync files from sensitive buckets to external endpoints using protocols like HTTPS or S3 APIs.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Storage Access (DC0025) | AWS:CloudTrail | PutObject, GetObject, CopyObject, DeleteObject |
| Network Traffic Flow (DC0078) | AWS:VPCFlowLogs | Outbound data flows |
| Field | Description |
|---|---|
| IAMRoleContext | Detect unauthorized use of roles for cloud storage manipulation. |
| GeoDestinationThreshold | Alert on outbound flows to geo-locations not seen in training baseline. |
Detects outbound traffic from hostd/vpxa or guest VM interfaces using unauthorized protocols such as FTP, HTTP POST bursts, or long-lived DNS tunnels.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:hostd | logline inspection |
| Network Connection Creation (DC0082) | esxi:vmkernel | protocol egress |
| Field | Description |
|---|---|
| GuestTrafficBaseline | Expected protocols used by VMs attached to host interfaces. |
| ServiceAccountProfile | Unexpected network activity from hypervisor processes or monitoring agents. |