How to Detect Data Exfiltration in Network Traffic

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Data exfiltration detection is harder than most threat detection because the baseline for 'legitimate' outbound transfers varies enormously by user, application, and time. A developer pushing 500 MB to GitHub is normal; a finance employee pushing 500 MB to a personal Dropbox account is suspicious. Detection requires understanding what 'normal' looks like for each endpoint and user before any threshold makes sense.
This guide covers the four main exfiltration channels and the specific detection patterns for each.
Channel 1: HTTPS Uploads to External Destinations
Most exfiltration today uses encrypted HTTPS uploads: legitimate-looking traffic to cloud storage, email services, or purpose-built exfiltration infrastructure. Three detection approaches:
Approach A: Absolute volume threshold per endpoint
Any single endpoint transferring more than a threshold (typically 1-5 GB in a single session, or 10 GB in 24 hours) to a single external destination warrants investigation. These numbers require calibration against your environment: adjust the threshold to produce 1-3 weekly alerts in baseline conditions, not zero alerts.
index=network sourcetype=firewall_traffic direction=outbound
| stats sum(bytes_out) as total_bytes by src_ip, dest_ip, dest_hostname
| where total_bytes > 1073741824 /* 1 GB in bytes */
| eval gb_sent = round(total_bytes / 1073741824, 2)
| lookup ip_to_user.csv ip as src_ip OUTPUTNEW username
| sort -total_bytes
| table username, src_ip, dest_hostname, gb_sent
Approach B: Deviation from per-endpoint baseline
A 200 MB upload from an endpoint that averages 5 MB/day outbound is more suspicious than a 2 GB upload from a software development machine that routinely pushes large build artifacts. Per-endpoint baselines improve signal quality significantly.
/* Build the baseline (run over 30 days of historical data) */
index=network sourcetype=firewall_traffic direction=outbound
| bucket _time span=1d
| stats sum(bytes_out) as daily_bytes by src_ip, _time
| stats avg(daily_bytes) as avg_daily, stdev(daily_bytes) as stdev_daily by src_ip
/* Detection rule: current day vs baseline */
index=network sourcetype=firewall_traffic direction=outbound earliest=-24h
| stats sum(bytes_out) as today_bytes by src_ip
| join src_ip [search index=baselines sourcetype=egress_baseline]
| where today_bytes > (avg_daily + (3 * stdev_daily))
| eval sigma = round((today_bytes - avg_daily) / stdev_daily, 1)
| sort -sigma
Approach C: Destination reputation
Personal cloud storage (Dropbox, Google Drive, pCloud, Mega.nz) and file-sharing services (WeTransfer, SendSpace) are common exfiltration destinations. Correlate large uploads with destination categorization.
index=network sourcetype=proxy_logs
| lookup url_categories.csv url OUTPUTNEW category
| where category IN ("Personal Cloud Storage", "File Transfer", "Online Backup")
| stats sum(bytes_out) as upload_bytes by src_ip, url, category, user
| where upload_bytes > 52428800 /* 50 MB */
| sort -upload_bytes
Channel 2: DNS Tunneling
DNS tunneling encodes data within DNS queries and responses, bypassing many security controls because DNS traffic is rarely blocked or inspected. Detection requires looking at DNS query patterns, not just blocked/allowed status.
DNS tunneling indicators:
- High volume of DNS queries to a single domain (legitimate domains resolve infrequently; tunneling tools query continuously)
- Long subdomains (tunneled data is encoded in the subdomain portion:
[64-char-encoded-data].exfil.attacker.com) - High entropy subdomain strings (random-looking character sequences versus human-readable subdomains)
- DNS TXT record queries (legitimate TXT lookups are rare; tunneling tools often use TXT for response data)
- Mismatched query type to destination (A record queries to domains that only serve NS records)
Splunk SPL for DNS tunneling detection:
index=dns sourcetype=dns_queries
/* Long subdomains: DNS tunneling encodes data in subdomain strings */
| eval subdomain_length = len(mvindex(split(query, "."), 0))
| where subdomain_length > 30
| stats count as query_count, dc(query) as unique_queries by src_ip, domain
| where query_count > 100 AND unique_queries > 50
| sort -query_count
/* High-volume DNS to a single domain */
| stats count as total_queries, dc(query) as unique_subdomains by src_ip, domain
| where total_queries > 500 AND unique_subdomains > 100
| eval tunneling_score = round(total_queries / unique_subdomains, 2)
Tools for DNS tunneling detection:
- Cisco Umbrella: Includes DNS tunneling detection as a built-in feature: flags domains exhibiting tunneling patterns
- Infoblox BloxOne Threat Defense: Machine learning-based DNS tunneling detection
- dnscat2 detection signatures: If your IDS has the dnscat2 signature, enable it: it catches the most common DNS tunneling tool used in real incidents
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Channel 3: Bulk File Access Before Exfiltration
Before exfiltrating data, attackers (and malicious insiders) typically access or compress large numbers of files. Correlating file access spikes with subsequent outbound transfer spikes improves detection precision significantly.
File access spike detection (Windows file server event logs):
index=windows EventCode=4663 /* Object access */ Object_Type=File Access_Mask=0x1 /* Read */
| bucket _time span=5m
| stats count as files_accessed by User, _time
| where files_accessed > 200 /* more than 200 file reads in 5 minutes */
| sort -files_accessed
Correlation: file access spike followed by outbound transfer:
/* Step 1: Find file access spikes */
index=windows EventCode=4663 Object_Type=File
| stats count as file_reads by Account_Name, _time
| where file_reads > 200
| rename Account_Name as username
/* Step 2: Join with subsequent network transfer */
| join username [
search index=network direction=outbound
| lookup user_to_ip.csv username OUTPUTNEW src_ip
| stats sum(bytes_out) as bytes_out by username
| where bytes_out > 104857600 /* 100 MB */
]
| eval exfil_risk_score = if(bytes_out > 104857600, "HIGH", "MEDIUM")
SharePoint and OneDrive bulk download (Microsoft 365 Unified Audit Log):
# Find users who downloaded more than 50 files in one day
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations FileDownloaded,FileSyncDownloadedFull -ResultSize 5000 |
Select-Object -ExpandProperty AuditData | ConvertFrom-Json |
Group-Object { $_.UserId } |
Where-Object { $_.Count -gt 50 } |
Select-Object Name, Count | Sort-Object Count -Descending
Reducing False Positives: What Normal Looks Like
The biggest challenge in exfiltration detection is the high false positive rate. Before enabling any of these as production alerts:
Establish per-user and per-role egress baselines first. Finance staff routinely upload large reports to external auditors. Developers push large artifacts to CI/CD infrastructure. Marketing sends large video files to agencies. Build exclusion lists for known-legitimate large transfer recipients.
Create an allowlist of sanctioned external destinations:
- Your CI/CD infrastructure (GitHub, GitLab, CircleCI, AWS)
- Approved external file sharing services (your sanctioned external collaboration tool)
- Approved cloud backup destinations
- Vendor file transfer systems (your audit firm's SFTP, your legal counsel's file sharing)
Any large transfer to an allowlisted destination is excluded from the alert: focus investigation on transfers to non-allowlisted destinations.
Run rules in report-only mode for 30 days. Review every alert during this period, categorize each as legitimate or suspicious, and tune thresholds until the weekly false positive count is manageable (< 5 alerts per week for most environments). Only then enable live alerting.
Correlation reduces false positives significantly: An endpoint with a file access spike AND a large outbound transfer AND a destination not in the allowlist is far more likely to represent actual exfiltration than any single indicator alone. Layer indicators before alerting.
The bottom line
Data exfiltration detection requires three parallel approaches: HTTPS upload monitoring with per-endpoint egress baselines (not just absolute thresholds), DNS tunneling detection via long subdomain queries and high-volume single-domain queries, and file access spike correlation with subsequent outbound transfers. Run all rules in report-only mode for 30 days to tune thresholds before enabling live alerts: untuned exfiltration detection produces a high false positive rate that makes alerts unactionable.
Frequently asked questions
How do you detect data exfiltration in network traffic?
Establish per-endpoint outbound traffic baselines, then alert on deviations: outbound transfers more than 3 standard deviations above the baseline for that endpoint, large uploads to personal cloud storage destinations, DNS queries with subdomain strings longer than 30 characters (DNS tunneling indicator), and bulk file access events correlated with subsequent large outbound transfers.
What network traffic indicates data exfiltration?
Four patterns indicate potential exfiltration: unusually large outbound transfers from an endpoint relative to its normal baseline, large HTTPS uploads to personal cloud storage or file-sharing services, DNS queries with long encoded subdomains at high volume to a single domain (DNS tunneling), and a pattern of bulk file reads on a file server followed within minutes by a large outbound transfer from the same user's endpoint.
What is DNS tunneling and how do attackers use it to exfiltrate data?
DNS tunneling encodes data in DNS query subdomains and extracts responses in DNS reply records. Attackers register a domain, run a DNS server that captures queries, and install malware that converts data into DNS queries: each file chunk becomes a subdomain like 'chunk1-encoded-data.attacker.com'. The DNS query leaves the network as legitimate DNS traffic (port 53, usually not inspected by DLP tools) and the attacker's DNS server decodes the chunks on the other end. Detection signatures: subdomain strings longer than 30 characters, query volume to a single external domain exceeding 1,000 queries per hour, and encoded characters (Base64 alphabet) in subdomain labels.
How do I set up a DLP policy to prevent data exfiltration?
Data Loss Prevention (DLP) works at multiple layers. For endpoint DLP (Microsoft Purview DLP, CrowdStrike Falcon DLP): define sensitive data types (SSNs, credit card numbers, IP classified as confidential), then create policies that block upload or copy of matching content to unapproved destinations. For network DLP: configure your proxy or CASB to inspect HTTPS traffic to cloud storage services and block or alert on uploads containing sensitive data patterns. Start in alert-only mode for 30 days before enabling block mode. Define exceptions for approved business tools (corporate Dropbox, OneDrive) to avoid blocking legitimate work.
What SIEM queries detect data exfiltration behavior?
Key queries for exfiltration detection: (1) Outbound bytes by user endpoint over rolling 7-day baseline -- alert when current day exceeds mean + 3 standard deviations; (2) DNS queries per hour to a single external domain > 500 with subdomain length > 25 characters; (3) File server access events > 100 files per hour from a single user combined with outbound traffic > 500MB within the next 30 minutes from the same user; (4) HTTPS POST requests to file-sharing or cloud storage domains with request body > 10MB from non-service accounts. All four queries should run in report mode for 30 days to establish baselines before enabling live alerts.
What data exfiltration techniques bypass network traffic monitoring and how do organizations detect them?
Several exfiltration techniques are specifically designed to blend into legitimate traffic or bypass network inspection. DNS tunneling encodes stolen data in DNS queries and responses to an attacker-controlled DNS server -- the queries are syntactically valid DNS but unusually high volume and long subdomains. Detect with: DNS query volume anomaly detection, subdomain length analysis (legitimate hostnames average under 25 characters), and blocking DNS requests to resolvers outside your approved list. HTTPS exfiltration to cloud storage services (Dropbox, Google Drive, OneDrive) is indistinguishable from legitimate use at the protocol level. Detect with: Proxy or CASB analysis of upload volume to cloud storage services, DLP inspection of HTTPS uploads (requires SSL inspection deployed), and behavioral analytics on upload volume by user. Steganography (embedding data in image files) requires application-layer DLP to detect. Printed documents or photographed screens are undetectable by network controls -- address with physical security and insider threat program behavioral indicators. Slow exfiltration designed to stay below anomaly detection thresholds: maintain baselines over rolling 30-day windows rather than shorter periods, and alert on week-over-week increases as well as absolute thresholds.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
