Query Details

Rule : Possible Data Exfiltration - Unusual Outbound Upload from Internal Host

Outbound Upload From Internal Host

Query

let MinUploadBytes = 500000000; // 500 MB
let PrivateIPRegex = @"^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)"; // regex matches private IPs
CommonSecurityLog
| where TimeGenerated > ago(1h) // lokks for last 1 hour logs
| where isnotempty(SourceIP) // where sourceIP is parsed
| where isnotempty(DestinationIP) // where destinationIP is parsed
| where SourceIP matches regex PrivateIPRegex
| where not(DestinationIP matches regex PrivateIPRegex)
| where DeviceAction in~ ("allow", "allowed", "accept", "accepted", "permitted")
| where isnotempty(SentBytes)
| summarize
    TotalBytesSent = sum(tolong(SentBytes)),
    TotalBytesReceived = sum(tolong(ReceivedBytes)),
    Connections = count(),
    DestinationIPs = make_set(DestinationIP, 20),
    DestinationPorts = make_set(DestinationPort, 20),
    Applications = make_set(ApplicationProtocol, 20),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by SourceIP
| where TotalBytesSent >= MinUploadBytes
| extend TotalGBSent = round(TotalBytesSent / 1024.0 / 1024.0 / 1024.0, 2)
| extend TotalGBReceived = round(TotalBytesReceived / 1024.0 / 1024.0 / 1024.0, 2)
| extend UploadRatio = round(todouble(TotalBytesSent) / todouble(TotalBytesSent + TotalBytesReceived) * 100, 2)
| where UploadRatio >= 95
| project
    TimeGenerated = LastSeen,
    SourceIP,
    TotalGBSent,
    TotalGBReceived,
    UploadRatio,
    Connections,
    DestinationIPs,
    DestinationPorts,
    Applications,
    FirstSeen,
    LastSeen
| order by TotalGBSent desc

About this query

Rule : Possible Data Exfiltration - Unusual Outbound Upload from Internal Host

Description

Detects potential data exfiltration when an internal source IP sends a large amount of outbound data to the internet, especially when the volume is significantly higher than its normal behavior.

Detection Logic

This query alerts when:

  • Source IP is internal/private
  • Destination IP is external/public
  • Firewall action is allowed
  • Data sent is more than 500 MB in 1 hour
  • Traffic is mostly upload traffic, with upload ratio greater than 95%

MITRE ATT&CK

  • T1048 - Exfiltration Over Alternative Protocol
  • T1567 - Exfilteration Over Web Service
  • T1020 - Automated Exfilteration

Tags

DataExfiltration, Firewall, CommonSecurityLog, LargeOutboundUpload, InternalToExternal, UploadRatioAnomaly

Search Query

References

Explanation

This query is designed to detect potential data exfiltration from an internal network to the internet. Here's a simplified explanation of how it works:

  1. Purpose: The query aims to identify unusual outbound data transfers from internal IP addresses to external IP addresses, which might indicate data exfiltration.

  2. Criteria for Detection:

    • The source IP address must be internal (private IP range).
    • The destination IP address must be external (public IP range).
    • The firewall must have allowed the connection.
    • The amount of data sent from the internal source must exceed 500 MB within a one-hour period.
    • The traffic should predominantly consist of uploads, with at least 95% of the total traffic being outbound.
  3. Process:

    • The query checks logs from the past hour.
    • It filters out entries where the source and destination IPs are not specified.
    • It ensures the source IP is internal and the destination IP is external.
    • It confirms that the firewall action was to allow the traffic.
    • It calculates the total bytes sent and received, the number of connections, and other details like destination IPs, ports, and application protocols.
    • It checks if the total data sent is above the threshold and if the upload ratio is high.
    • The results are sorted by the amount of data sent, highlighting the largest uploads.
  4. Outcome: The query produces a list of internal IPs that have sent a significant amount of data to external IPs, potentially indicating data exfiltration. It provides details such as the amount of data sent and received, the upload ratio, and connection details.

  5. Relevance: This query is aligned with specific MITRE ATT&CK techniques related to data exfiltration, helping security teams identify and investigate suspicious data transfers.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 2, 2026

Tables

CommonSecurityLog

Keywords

DataExfiltrationFirewallCommonSecurityLogInternalToExternalUploadRatioAnomalySourceIPDestinationIPDeviceActionSentBytesReceivedBytesDestinationPortsApplicationsTimeGenerated

Operators

letagoisnotemptymatches regexnotin~summarizesumtolongcountmake_setminmaxbyextendroundtodoubleprojectorder by

MITRE Techniques

Actions

GitHub