Rule : Possible Data Exfiltration - Unusual Outbound Upload from Internal Host
Outbound Upload From Internal Host
Query
let MinUploadBytes = 500000000; // 500 MB
let PrivateIPRegex = @"^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)"; // regex matches private IPs
CommonSecurityLog
| where TimeGenerated > ago(1h) // lokks for last 1 hour logs
| where isnotempty(SourceIP) // where sourceIP is parsed
| where isnotempty(DestinationIP) // where destinationIP is parsed
| where SourceIP matches regex PrivateIPRegex
| where not(DestinationIP matches regex PrivateIPRegex)
| where DeviceAction in~ ("allow", "allowed", "accept", "accepted", "permitted")
| where isnotempty(SentBytes)
| summarize
TotalBytesSent = sum(tolong(SentBytes)),
TotalBytesReceived = sum(tolong(ReceivedBytes)),
Connections = count(),
DestinationIPs = make_set(DestinationIP, 20),
DestinationPorts = make_set(DestinationPort, 20),
Applications = make_set(ApplicationProtocol, 20),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP
| where TotalBytesSent >= MinUploadBytes
| extend TotalGBSent = round(TotalBytesSent / 1024.0 / 1024.0 / 1024.0, 2)
| extend TotalGBReceived = round(TotalBytesReceived / 1024.0 / 1024.0 / 1024.0, 2)
| extend UploadRatio = round(todouble(TotalBytesSent) / todouble(TotalBytesSent + TotalBytesReceived) * 100, 2)
| where UploadRatio >= 95
| project
TimeGenerated = LastSeen,
SourceIP,
TotalGBSent,
TotalGBReceived,
UploadRatio,
Connections,
DestinationIPs,
DestinationPorts,
Applications,
FirstSeen,
LastSeen
| order by TotalGBSent descAbout this query
Rule : Possible Data Exfiltration - Unusual Outbound Upload from Internal Host
Description
Detects potential data exfiltration when an internal source IP sends a large amount of outbound data to the internet, especially when the volume is significantly higher than its normal behavior.
Detection Logic
This query alerts when:
- Source IP is internal/private
- Destination IP is external/public
- Firewall action is allowed
- Data sent is more than 500 MB in 1 hour
- Traffic is mostly upload traffic, with upload ratio greater than 95%
MITRE ATT&CK
- T1048 - Exfiltration Over Alternative Protocol
- T1567 - Exfilteration Over Web Service
- T1020 - Automated Exfilteration
Tags
DataExfiltration, Firewall, CommonSecurityLog, LargeOutboundUpload, InternalToExternal, UploadRatioAnomaly
Search Query
References
Explanation
This query is designed to detect potential data exfiltration from an internal network to the internet. Here's a simplified explanation of how it works:
-
Purpose: The query aims to identify unusual outbound data transfers from internal IP addresses to external IP addresses, which might indicate data exfiltration.
-
Criteria for Detection:
- The source IP address must be internal (private IP range).
- The destination IP address must be external (public IP range).
- The firewall must have allowed the connection.
- The amount of data sent from the internal source must exceed 500 MB within a one-hour period.
- The traffic should predominantly consist of uploads, with at least 95% of the total traffic being outbound.
-
Process:
- The query checks logs from the past hour.
- It filters out entries where the source and destination IPs are not specified.
- It ensures the source IP is internal and the destination IP is external.
- It confirms that the firewall action was to allow the traffic.
- It calculates the total bytes sent and received, the number of connections, and other details like destination IPs, ports, and application protocols.
- It checks if the total data sent is above the threshold and if the upload ratio is high.
- The results are sorted by the amount of data sent, highlighting the largest uploads.
-
Outcome: The query produces a list of internal IPs that have sent a significant amount of data to external IPs, potentially indicating data exfiltration. It provides details such as the amount of data sent and received, the upload ratio, and connection details.
-
Relevance: This query is aligned with specific MITRE ATT&CK techniques related to data exfiltration, helping security teams identify and investigate suspicious data transfers.
Details

Ali Hussein
Released: July 2, 2026
Tables
Keywords
Operators