outbound_smb_spike
Explanation
This security event monitors the amount of Windows Networking traffic leaving the network (including DCE-RPC, Netbios, or SMB). If there is high volume of this traffic leaving the network, it could be an indicator of a malware infection or an attempt to exfiltrate data.
What to Look For
Often networks communicate via Windows Networking with authorized cloud hosted systems such as Active Directory. The typical amount of communication in those transactions is not sufficient to trigger this alert. This alert will trigger on communications with higher amounts of packets or bytes transferred, which may indicate unauthorized activity such as data exfiltration.
Related MITRE ATT&CK Categories
Updated about 1 month ago