Webinar: What's New in Graylog 6.0? | Watch On-Demand >> ​

Centralized Log Management for Data Exfiltration

Remote workforce models don’t look like they’re going anywhere anytime soon. While your employees need to collaborate, you need to make sure that you mitigate data breach risks. You worked diligently over the last few years to put the right access controls in place. The problem? Data breaches aren’t always threat actors and are not always malicious. Now, you’ve put access controls in place, but it’s still challenging to determine whether you’ve experienced any purposeful or accidental data exfiltration.

With the right centralized log management solution, you can monitor data exfiltration as part of your security program.

Where does monitoring data exfiltration fit into security monitoring?

Data exfiltration is a security incident where someone downloads, copies, or transfers sensitive information without authorization.

To prevent data exfiltration, you need to put controls in place. The first step is limited unauthorized malicious, and accidental access to networks and sensitive data. If you’ve already got those controls in place, you need to mature your monitoring to help detect exfiltration.

For example, you may want to consider adding a data loss prevention (DLP) tool to your cybersecurity technology stack. DLP software classifies data and allows you to put protections, like encryption, around sensitive data to mitigate data theft risks.

Data exfiltration use cases

Before you start monitoring for data exfiltration, you need to understand the different use cases.

Insider threat

It’s important to keep in mind that insider threats aren’t always malicious. While some of your employees may want to harm your company, many simply don’t realize that what they’re doing is a data security risk.

Malicious insider

Although most employees try their hardest to follow best data protection practices, you need to consider the different types of malicious insiders. While rare, they can lead to data security, compliance, and business reputation risks.

For example, you may have a disgruntled employee who tries to steal sensitive customer or intellectual property information before leaving to join a competitor.

Accidental data loss

With a distributed workforce, you’re more likely to see accidental data loss or data exfiltration. As part of collaborating, your employees often share information either internally or with contractors. Even though the individual user has authorized access, the people with whom they’re sharing the information may not. Since you can’t know what other people do with the downloaded information, this becomes an unauthorized transfer or download of information.


Malware, or malicious code, is a broader category that often includes ransomware. Over the past few years, ransomware attacks have increasingly switched to a “double extortion” model, focusing on encrypting and exfiltrating data.

Credential-based Attacks

As your company adopted cloud-based technologies, your credential-based attack risk increased. Credential-based attacks, like dictionary and credential stuffing attacks, can go undetected, making the threat actors appear to be legitimate users. While stolen data isn’t actually coming from malicious insiders, the attacks can make the insiders look malicious when they’re not.

Advanced Persistent Threats (APTs)

When threat actors infiltrate systems and networks, they usually have an end goal of exfiltrating data. Once the adversaries establish a foothold, they can evade detection by adapting to your security team’s efforts to resist their activities. Monitoring for data exfiltration may help you find the abnormal activity indicating an APT within your environment.

Using centralized log management to monitor for data exfiltration

If you have a centralized log management solution with security analytics, you can use it to monitor for data exfiltration. Security analytics combine threat intelligence with data analytics, like machine learning, to help you gain visibility into security risks like insider threats and data exfiltration.

Building out alerts and dashboards within your centralized log management solution can help you more rapidly detect, investigate, and respond to these types of security incidents.

Network monitoring

Network monitoring is the first step to getting your logs around data exfiltration. When you’re setting up these dashboards, you want to make sure that you have:

  • Approved IP addresses
  • Blocked IP addresses or known bad IPs
  • Geolocation for IP addresses

When you have this information, you can start comparing known malicious IPs or risky geographic areas to data volumes and transmit.

Graylog Network Monitoring


User and device compromise tend to be the primary “first touch” for threat actors looking to steal data. By taking logs from your antivirus, you can bring in device security to track down where a malware or ransomware attack started.

Graylog Illuminate Dashboard - Host with multiple malware events definitions

Anomaly Detection Machine Learning (ML)/User and Entity Behavior Analytics (UEBA)

With UBEA, you can create a baseline for “normal” user activity within your systems and networks. This will help you detect abnormal behavior. For example, UEBA can correlate your users’ behavior with download activity across:

  • Rare websites
  • Webmail
  • Email servers
  • Removable media
  • Rare processes
  • DNS
centralized log management data exfiltration UEBA

Building alerts to detect data exfiltration in your centralized log management solution

To get visibility, you need to correlate different activities across these different event log sources. Your centralized log management solution should allow you to create high-fidelity alerts by collecting, aggregating, parsing, normalizing, correlating, and analyzing event logs. This is even more critical when tracking data exfiltration across cloud-based resources.

When building out your dashboards, you should have alerts and use cases that combine the information in meaningful ways. If you do this, you will have fewer false positives and be able to review trends over time that give you a visual representation of what’s happening.

Insider Threat

For example, if you’re building an alert, you want to correlate log data that includes:

  • User ID
  • IP address, including geolocation
  • Device configurations
  • Network packets/traffic
  • Host name


An alert to help detect an APT might focus more on the network traffic than the individual end-user and include additional information like:

  • Inbound IP address
  • Outbound IP address
  • DNS domain controller

Graylog Security: Analytics for Data Exfiltration Monitoring

Graylog Security gives you the functionality you need to monitor for data exfiltration without the complexity and cost of traditional security information and event management (SIEM) tools. With our powerful, lightning-fast features, your IT and security teams can quickly start getting valuable data from your logs, reducing labor costs and alert fatigue while also maturing your security posture.

Graylog Security: Analytics for Data Exfiltration Monitoring

Graylog Security includes out-of-the-box content and anomaly detection ML/UEBA so that you can incorporate threat intelligence and user behavior to build dashboards that visualize trends and detect anomalies.


Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.