Unusual processes (e.g., powershell.exe, excel.exe) accessing large local files and subsequently initiating HTTPS POST requests to domains associated with cloud storage services (e.g., dropbox.com, drive.google.com, box.com). Defender perspective: correlation between file reads in sensitive directories and high outbound traffic volume to known storage APIs.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | WinEventLog:Security | EventCode=4663 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| CloudStorageDomains | List of monitored domains for cloud services (dropbox.com, drive.google.com, onedrive.live.com). |
| ExfilVolumeThreshold | Data volume threshold (e.g., >10MB in single session) used to flag abnormal transfers. |
| UserContext | User accounts permitted to use sanctioned cloud services versus unexpected accounts. |
Processes such as curl, wget, rclone, or custom scripts executing uploads to cloud storage endpoints. Defender perspective: detect chained events where tar/gzip is executed to compress files followed by HTTPS PUT/POST requests to known storage services.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:EXECVE | curl -T, rclone copy |
| File Access (DC0055) | auditd:SYSCALL | read/open of sensitive file directories |
| Network Traffic Flow (DC0078) | NSM:Flow | large HTTPS outbound uploads |
| Field | Description |
|---|---|
| AllowedTools | Known tools used legitimately for backups (rclone, gsutil). Deviations raise suspicion. |
| WorkHours | Baseline normal data transfer hours to reduce false positives. |
Applications or scripts invoking cloud storage APIs (Dropbox sync, iCloud, Google Drive client) in unexpected contexts. Defender perspective: detect sensitive file reads by non-standard applications followed by unusual encrypted uploads to external cloud storage domains.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | execution of curl, rclone, or Office apps invoking network sessions |
| File Access (DC0055) | macos:unifiedlog | file read of sensitive directories |
| Network Traffic Content (DC0085) | macos:unifiedlog | outbound HTTPS connections to cloud storage APIs |
| Field | Description |
|---|---|
| WatchedApps | Track processes that normally should not upload data (e.g., Preview, Calculator). |
| EntropyThreshold | High-entropy file uploads may indicate encrypted payloads designed for exfiltration. |
Unusual ESXi processes (vmx, hostd) reading datastore files and generating outbound HTTPS traffic toward external cloud storage endpoints. Defender perspective: anomalous datastore activity followed by network transfers to Dropbox, AWS S3, or other storage services.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | esxi:hostd | datastore file access |
| Network Traffic Flow (DC0078) | esxi:vmkernel | network flows to external cloud services |
| Field | Description |
|---|---|
| DatastoreTransferThreshold | Threshold for outbound data exfiltration from ESXi datastore files. |
| ApprovedStorageServices | Whitelist of sanctioned storage providers used by admins for backup operations. |