outbound_smb

Explanation

This security event monitors the amount of Windows Networking traffic leaving the network (including DCE-RPC, Netbios, or SMB). If there is high volume of this traffic leaving the network, it could be an indicator of a malware infection or an attempt to exfiltrate data.

What to Look For

Often networks communicate via Windows Networking with authorized cloud hosted systems such as Active Directory. The typical amount of communication in those transactions is not sufficient to trigger this alert. This alert will trigger on communications with higher amounts of packets or bytes transferred, which may indicate unauthorized activity such as data exfiltration.

Related MITRE ATT&CK Categories

Exfiltration Over Alternative Protocol , Techniques T1048