Processes that normally do not initiate network communications suddenly making outbound HTTPS connections with high outbound-to-inbound data ratios. Defender view: correlation between process creation logs (e.g., Word, Excel, PowerShell) and subsequent anomalous network traffic volumes toward common web services (Dropbox, Google Drive, OneDrive).
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| MonitoredServices | List of legitimate web services to baseline (Dropbox, OneDrive, Google Drive). |
| ExfilVolumeThreshold | Outbound data threshold for flagging unusual activity, tunable by environment. |
| TimeWindow | Aggregation period to calculate anomalies in outbound data volume. |
Processes (tar, curl, python scripts) accessing large file sets and initiating outbound HTTPS POST requests with payload sizes inconsistent with baseline activity. Defender perspective: detect abnormal sequence of file archival followed by encrypted uploads to external web services.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:EXECVE | curl or wget with POST/PUT options |
| File Access (DC0055) | auditd:SYSCALL | open/read of sensitive directories (/etc, /home/*) |
| Network Traffic Flow (DC0078) | NSM:Flow | sustained outbound HTTPS sessions with high data volume |
| Field | Description |
|---|---|
| MonitoredTools | Suspicious command-line utilities used for exfiltration (curl, wget, python). |
| DataVolumeThreshold | Bytes transferred threshold per session to flag unusual uploads. |
Office apps or scripts writing files followed by xattr manipulation (to evade quarantine) and subsequent HTTPS uploads. Defender perspective: anomalous file modification + outbound TLS traffic originating from non-networking apps (Word, Excel, Preview).
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | execution of Office binaries with network activity |
| File Access (DC0055) | macos:unifiedlog | read/write of user documents prior to upload |
| Network Traffic Content (DC0085) | macos:unifiedlog | outbound TLS connections to cloud storage providers |
| Field | Description |
|---|---|
| WatchedApplications | Applications not expected to perform bulk data transfers (Office apps, Preview). |
Abnormal API calls from user accounts invoking file upload endpoints outside normal baselines (M365, Google Drive, Box). Defender perspective: monitor unified audit logs for elevated frequency of Upload, Create, or Copy operations from compromised accounts.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | FileUploaded or FileCopied events |
| Network Traffic Content (DC0085) | saas:box | API calls exceeding baseline thresholds |
| Field | Description |
|---|---|
| APICallThreshold | Maximum number of API calls per user/session before triggering alert. |
| UserBaselineProfiles | Baseline normal data transfer patterns by user/role. |
ESXi guest OS or management interface processes establishing unexpected external HTTPS connections. Defender perspective: monitor vmx or hostd processes making outbound web requests with significant data transfer.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | esxi:vmkernel | network session initiation with external HTTPS services |
| File Access (DC0055) | esxi:hostd | file copy or datastore upload via HTTPS |
| Field | Description |
|---|---|
| DatastoreTransferThreshold | Threshold for outbound transfers from ESXi datastores. |