Skip to main content
Question

Best Practices for Detecting Data Exfiltration with Firewall Logs

  • May 18, 2026
  • 4 replies
  • 105 views
melissagr
Forum|alt.badge.img+3

Hi everyone,

I’m currently exploring how to detect potential data exfiltration using firewall logs (FortiGate) in Google Security Operations, and I’d really appreciate some feedback from others who have worked on similar use cases.

I’m noticing that a lot of legitimate traffic (e.g. Microsoft services, video streaming, web analytics, normal browsing) can generate significant outbound activity, which makes it challenging to distinguish between normal behavior and potential exfiltration.

I’d be interested to understand how others are handling this in practice:

  • What signals or patterns do you rely on when working primarily with firewall logs?

  • Do you focus more on behavioral anomalies, destination-based detection, or a combination of both?

  • How do you effectively reduce noise without missing real threats?

  • Are there specific indicators that you’ve found particularly reliable for detecting exfiltration?

Any best practices, feedback, or examples would be greatly appreciated 

Thanks!

4 replies

hliu
Forum|alt.badge.img+4
  • hliuBronze 2
  • Bronze 2
  • May 20, 2026

firewall/network log’s bytes IN / OUT, combined with whitelists / watchlists might be a starting point.

next tier might be signals from specific exfiltration/DLP/IRM solutions.

Coming back to the bytes OUT, density functions might be used for anomaly detection, regression to predict expected traffic and clustering k-means for peer group analysis. But they are quite advanced ML algorithms, often require a lot of tunning / training, and honestly not sure if they are available out of the box in Secops, otherwise you might have to switch to bigquery.

In Secops, it might be a good idea to take a look on the Curated Detections > built-in Risk Analytics. There’s a series of “Anomalous Network Bytes Outbound By” / “Anomalous Total Bytes by” rules, based on thresholds calculated using avg and 2x sdddev that might be suitable.

hliu
Forum|alt.badge.img+4
  • hliuBronze 2
  • Bronze 2
  • May 20, 2026

Similarly this recent multi stage writeup on outliers from jstoner might also help, applied to bytes OUT and scoped exfiltration destinations

 

 

    melissagr
    Forum|alt.badge.img+3
    • melissagrBronze 5
    • Author
    • Bronze 5
    • May 22, 2026

    Thanks a lot, super helpful reply!

    I checked the Curated Detections in SecOps and found rules like “Anomalous Network Bytes Outbound By Hostname/ Mac Address...etc”,

    I’ll try enabling/testing them to see how they behave in our environment.

    Really appreciate the guidance

    houmande
    • houmande
    • New Member
    • May 22, 2026

    This is such a tough problem, I feel you! The noise from all that legitimate outbound traffic is the worst part.

    From my experience, combining both behavioral anomalies and destination rules works best. We baseline “normal” outbound volume per user/IP, then flag sudden spikes, and also watch for traffic to known risky destinations (like unregistered cloud storage, or TOR endpoints).

    Tuning false positives takes forever, but we found that grouping traffic by business use (like “Microsoft 365 only” or “video streaming”) helps cut through the noise a lot.

    Terms & ConditionsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.