# outbound\_smb\_spike

**Explanation**

This security event monitors the amount of Windows Networking traffic leaving the network (including DCE-RPC, Netbios, or SMB). If there is high volume of this traffic leaving the network, it could be an indicator of a malware infection or an attempt to exfiltrate data.

**What to Look For**

Often networks communicate via Windows Networking with authorized cloud hosted systems such as Active Directory. The typical amount of communication in those transactions is not sufficient to trigger this alert. This alert will trigger on communications with higher amounts of packets or bytes transferred, which may indicate unauthorized activity such as data exfiltration.

**Related MITRE ATT\&CK Categories**

[Exfiltration: Exfiltration Over Alternative Protocol, Technique T1048 - Enterprise](https://attack.mitre.org/techniques/T1048)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/misconfiguration/outbound_smb_spike.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.