Query Details

Firewall Anomalous Outbound Data Volume - Exfiltration Risk

02 CSL Data Exfiltration Outbound Volume

Query

CommonSecurityLog
| where TimeGenerated > ago(1d)
| where DeviceVendor in ("Fortinet", "Palo Alto Networks", "Zscaler")
| where DeviceAction !in ("deny", "block", "drop", "BLOCK", "DROP", "Reset-Both")
| where isnotempty(SourceIP) and isnotempty(DestinationIP)
| where ipv4_is_private(SourceIP) == true
| where ipv4_is_private(DestinationIP) == false
| summarize
    TotalBytesSent    = sum(SentBytes),
    TotalBytesRecv    = sum(ReceivedBytes),
    SessionCount      = count(),
    DestIPs           = make_set(DestinationIP, 20),
    DestPorts         = make_set(DestinationPort, 10),
    HourlyBuckets     = dcount(bin(TimeGenerated, 1h)),
    DeviceVendors     = make_set(DeviceVendor)
  by SourceIP
| extend TotalMBSent = round(toreal(TotalBytesSent) / 1048576, 2)
| where TotalMBSent > 500
| order by TotalMBSent desc

Explanation

This query is designed to detect potential data exfiltration activities by monitoring outbound data transfers from internal hosts to external destinations. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies internal hosts that send more than 500 MB of data to external destinations within a 24-hour period. This is considered a potential risk for data exfiltration.

  2. Data Sources: It uses logs from security devices like Fortinet, Palo Alto Networks, and Zscaler.

  3. Filtering Criteria:

    • The data is collected from the last 24 hours.
    • It only considers logs where the action was not blocked or denied.
    • It focuses on traffic from private (internal) IPs to public (external) IPs.
  4. Data Aggregation:

    • It calculates the total bytes sent and received by each internal IP.
    • It counts the number of sessions and unique destination IPs and ports.
    • It also tracks the number of hourly data transfer occurrences.
  5. Alert Conditions:

    • If an internal host sends more than 500 MB of data, it triggers an alert.
    • The alerts are sorted by the amount of data sent, in descending order.
  6. Alert Details:

    • The alert includes the source IP, the total MB sent, and the number of sessions.
    • It provides a custom alert name and description indicating possible data exfiltration.
  7. Incident Management:

    • An incident is created for each alert.
    • Incidents are grouped by the source IP to manage related alerts together.

Overall, this query helps security teams identify and respond to unusual and potentially harmful data transfers that could indicate data exfiltration attempts.

Details

David Alonso profile picture

David Alonso

Released: March 2, 2026

Tables

CommonSecurityLog

Keywords

CommonSecurityLogDeviceVendorSourceIPDestinationIPSentBytesReceivedBytesDestinationPortTimeGenerated

Operators

ago()in()!in()isnotempty()ipv4_is_private()summarizesum()count()make_set()dcount()bin()extendround()toreal()order by

Severity

High

Tactics

Exfiltration

MITRE Techniques

Frequency: 1h

Period: 1d

Actions

GitHub