Hello.
We get this alert from time to time but it contains so much data I don’t know where to start looking. Has anyone found anything valuable or is able to use these types of alert?
Alert name: Network Flow - Anomalous Data Transfer
We have them turned on. They do have a very high FP rate, but they can be useful to determine legitimate 1GB+ Exfil situations. If you scroll down in the alert you can find data on where the source and destination was, and what % of it was going to the same destination. Let me know if you want more info.
2 Likes
Usually in our case there is one main domain that the data is going, typically for us it’s one drive, which is expected when replacing their pc, if it was some wacky domain, we would research further.
I find myself copying the whole payload and dissecting it to try and find out what domain and source device is causing this alert. Any pointers on how you go about analyzing these types of alerts?
Just looking at the payload to determine IP/ports and make sure the behavior is within reason and allowed. Anything more than 2GB is going to make me suspicious, 99% of these alerts are under 1 gig though which is mostly False Positives for us.
1 Like