High Volume of Traffic from High or Critical Host Observed

Description

Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that the host has been compromised.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring, Insider Threat

Category

Endpoint Compromise, Data Exfiltration, Insider Threat

Alert Volume

Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that the host has been compromised.

SPL Difficulty

Advanced

Journey

Stage 4

MITRE ATT&CK Tactics

Exfiltration

MITRE ATT&CK Techniques

Exfiltration Over Alternative Protocol
Exfiltration Over C2 Channel

MITRE Threat Groups

APT3
APT32
Frankenstein
Gamaredon Group
Ke3chang
Kimsuky
Lazarus Group
MuddyWater
Sandworm Team
Soft Cell
Stealth Falcon
Wizard Spider

Data Sources

Web Proxy