An analyst notices a Zeek (Bro) connection log showing a single HTTP request from internal IP 192.168.1.10 to external IP 203.0.113.5 with a URI of '/files/secret.docx' and a response code of 200. The file size is unusually large (50 MB). What should the analyst suspect?
An internal host sending a large file over HTTP to an external IP is a classic indicator of data theft.
Why this answer
A large file download over HTTP from an internal host to an external IP, especially with a filename like 'secret.docx', suggests data exfiltration. The single request and response code 200 indicate successful transfer.