Hi everyone,
I’m currently exploring how to detect potential data exfiltration using firewall logs (FortiGate) in Google Security Operations, and I’d really appreciate some feedback from others who have worked on similar use cases.
I’m noticing that a lot of legitimate traffic (e.g. Microsoft services, video streaming, web analytics, normal browsing) can generate significant outbound activity, which makes it challenging to distinguish between normal behavior and potential exfiltration.
I’d be interested to understand how others are handling this in practice:
-
What signals or patterns do you rely on when working primarily with firewall logs?
-
Do you focus more on behavioral anomalies, destination-based detection, or a combination of both?
-
How do you effectively reduce noise without missing real threats?
-
Are there specific indicators that you’ve found particularly reliable for detecting exfiltration?
Any best practices, feedback, or examples would be greatly appreciated
Thanks!
