Managed Sentinel – Alert 042
| Alert ID | MS-A042 |
| Alert Name | Excessive outbound traffic (data transferred out from internal network) |
| Description | This alert triggers when outbound data sent is more than the normal baseline (outlier). The higher the score, the further it is from the baseline value. |
| Severity Level | Medium |
| Threat Indicator | Improper Usage |
| MITRE ATT&CK Tactics | Execution Defense Evasion Exfiltration |
| Log sources | Firewall |
| False Positive | Offsite backup processes. Office 365 Sharepoint, OneDrive Any sanctioned SaaS Cloud applications |
| Recommendations | 1. Identify the internal host(s) and user generating the large volume of data transfer. 2. Identify the application transport used for data transfer. 3. Review traffic logs in the perimeter firewall and understand the type and volume of data transferred outbound. 4. Review any local logs or evidences to determine the files/directories moved outside. 5. if a DLP solution is used, check logs to validate if any data violates the organization policies. If any privacy regulations applies to your organization, engage your Privacy and Compliance office for an internal investigation to find if any sensitive files were sent out of the company network. |