Cisco Secure Firewall - Potential Data Exfiltration

The following analytic detects potentially suspicious large volumes of data sent by the connection initiator on flows from internal to external networks. It leverages Cisco Secure Firewall Threat Defense ConnectionEvent logs and thresholds on InitiatorBytes (bytes transmitted by the initiator), which for typical inside-initiated client sessions approximates upload or outbound payload from the internal host and avoids flagging large downloads where most bytes appear in ResponderBytes. Connections where the initiator sent at least 100 MB are flagged, as these may indicate unauthorized data exfiltration, especially if associated with unusual users, hosts, or processes. This analytic is scoped to inside-to-outside flows using a macro (cisco_secure_firewall_inside_to_outside) to abstract environment-specific zone definitions. If confirmed malicious, this behavior may reflect data staging and exfiltration over an encrypted or stealthy transport.