A baseline of network operations and expected data flows is established and managed
You cannot detect anomalies without knowing what normal looks like. A documented baseline of expected network traffic patterns, user behaviors, and data flows gives analysts a reference point: when something deviates from baseline, it warrants investigation. Organizations that skip baselining often generate too many alerts (because nothing is tuned to the environment) or too few (because detection is generic and misses targeted activity).
Implementation steps
- 1
Document expected network traffic and data flows for critical systems
For each critical system, document the expected inbound and outbound network connections: which ports, protocols, source and destination IP ranges, and approximate volume. Include expected data flows: which systems talk to which databases, which services call external APIs, and what constitutes normal authentication patterns. Keep this documentation current as your architecture evolves.
confluencelucidchartmiro - 2
Use network flow data to establish traffic baselines
Capture network flow data (NetFlow, VPC Flow Logs, or packet metadata) for at least 30 days to build a statistical baseline of normal communication patterns. Identify: typical daily and weekly traffic volumes by source/destination pair, common protocols and ports, and expected external egress destinations. This baseline becomes the foundation for anomaly-based detection rules.
aws-vpc-flow-logsdatadogsplunkelasticdarktrace - 3
Implement user and entity behavior analytics
Deploy UEBA capabilities that learn normal behavior patterns for users and systems over time and alert when behavior deviates significantly: a user downloading 10x their normal data volume, a service account making API calls at 3am, or an endpoint suddenly communicating with a new external IP. These behavioral detections catch threats that signature-based rules miss.
microsoft-sentinelsplunk-uebadatadogexabeamvectra
Evidence required
Network baseline documentation
A documented baseline of expected network flows and communications for critical systems.
- · Network traffic baseline document listing expected connections by system
- · VPC Flow Log analysis showing normal traffic patterns and anomaly thresholds
- · Data flow diagram annotated with expected communication patterns
Behavioral baseline and anomaly detection configuration
Evidence that behavioral baselines are used to inform detection rules.
- · UEBA configuration showing baseline learning period and alert thresholds
- · Network anomaly detection rules referencing established baselines
- · Splunk or Datadog saved searches for traffic anomaly detection
Related controls
Potentially adverse events are analyzed to better understand associated activities
Adverse Event Analysis
Information is correlated from multiple sources
Adverse Event Analysis
The estimated impact and scope of adverse events are understood
Adverse Event Analysis
Alert thresholds are established
Adverse Event Analysis