Skip to main content

Network Abnormal Upload

Alert when a device's upload bandwidth exceeds a threshold for a sustained duration. Useful for catching data exfiltration, runaway backups, and other unexpected outbound traffic.

Introduction

Alert when a device starts pushing more data out than it should. The Network Abnormal Upload monitor watches upload bandwidth and fires when it exceeds your threshold for the full breach duration, flagging unusual outbound activity before it becomes a bigger problem.

Sustained abnormal uploads are one of the more useful early signals in an environment: data exfiltration, a misconfigured backup job, a cloud sync client gone rogue, or malware phoning home all show up here first.

How the Network Abnormal Upload Monitor Works

Level samples outbound throughput on the device's network interfaces. When the upload rate meets or exceeds your threshold (in Mbps) and stays there for the full breach duration, Level creates an alert. The alert includes a per-interface breakdown, so you can see exactly which NIC is pushing the traffic.

This is a rate monitor, not a content or destination monitor. It measures how many bits per second are leaving the device; it doesn't know where the traffic is going or which process is sending it. That makes it a fast tripwire for "this box is suddenly pushing a lot of data out," and the per-interface rates in the alert give you a starting point for the investigation.

The breach duration is what separates real anomalies from normal traffic. A device briefly spiking during a video call or a file share isn't worth alerting on. A workstation sustaining 50 Mbps outbound for 20 minutes at 2 AM probably is.

Configuring Network Abnormal Upload Monitor

Open the target monitor policy, then click + Add new monitor (or open an existing Network Abnormal Upload monitor to edit it).

Network Abnormal Upload Monitor

Name and Type

  1. Enter a name in the Name field. The field is optional, but a specific name like "Workstations - Abnormal Upload" is far more scannable in an alert list than the default.

  2. Set Type to Network abnormal upload.

Severity

Set Severity based on how your team should respond to abnormal outbound traffic in this context:

  • Information

  • Warning

  • Critical

  • Emergency

💡 TIP: If you're using this monitor as an exfiltration tripwire on servers holding sensitive data, Critical is appropriate. For general workstation coverage, Warning keeps the signal without paging anyone over a large OneDrive sync.

Threshold

Threshold sets the upload bandwidth, in Mbps, that triggers the monitor. The comparison is greater than or equal to: traffic at exactly the threshold counts as a breach. Adjust the value with the up/down arrows or type it directly.

There's no universal right number here. It depends on the device's role and your uplink. A few starting points:

  • Workstations on a typical office connection: 20 to 50 Mbps catches sustained bulk uploads without flagging video calls

  • Servers that shouldn't be uploading much at all (domain controllers, internal app servers): 5 to 10 Mbps

  • Backup servers or media workstations: set well above their normal peak, or scope them to a separate policy

💡 TIP: If you're not sure what normal looks like, start with a generous threshold at Information severity and tighten it once you've seen a week of real traffic.

Breach Duration

Breach duration controls how long upload bandwidth must stay above the threshold before Level creates an alert. Set it with the slider or the up/down arrows; both adjust the same value. The range is 0 to 120 minutes.

Setting breach duration to 0 fires the alert as soon as the threshold is exceeded. That's almost always too noisy for a bandwidth monitor. Legitimate traffic spikes constantly: file transfers, screen sharing, cloud sync bursts.

💡 TIP: A 10 to 15 minute breach duration filters out nearly all legitimate spikes. Exfiltration and runaway upload jobs sustain their rate; a Teams call ends.

Remediation

Optionally attach an automation to run when this monitor fires. This is how you create a ticket, page your team, or kick off a containment script the moment the alert is created.

  1. Click the Remediation field and select an automation from the list.

  2. Use the link icon to open the selected automation in a new tab, the eye icon to preview it, or the × to remove it.

Once attached, open the automation to assign the monitor's payload to an automation variable if you want to pass alert context into the automation's logic. The payload for this monitor includes the threshold and the measured upload rate for each interface that breached, for example:

Upload traffic has exceeded 50 Mbps.
* en0: 87.34 Mbps  
* eth1: 61.20 Mbps

ℹ️ NOTE: If the monitor itself fails to run on a device (for example, no network interfaces are available to sample), the alert carries an error message instead of the usual payload.

Notify Recipients

Two checkboxes control when this monitor emails the policy's recipients:

  • On alert creation sends an email when the alert fires

  • On alert resolution sends an email when the alert resolves

Recipients are managed at the monitor policy level, in the Recipients section.

Auto-Resolve

The Auto-resolve alert when conditions clear toggle closes the alert automatically once upload bandwidth drops back below the threshold.

Think before enabling this one for security use cases. An exfiltration event that finishes uploading will drop below the threshold on its own. If the alert auto-resolves, nobody may ever look at it. For security-oriented policies, leave auto-resolve off so a human reviews every occurrence.

⚠️ WARNING: With auto-resolve enabled, a short-lived burst of abnormal upload traffic can fire and resolve before anyone investigates. The alert history is preserved, but resolved alerts are easy to miss. For exfiltration detection, keep this off.

FAQ

  • Who can create and edit monitors? Technicians with access to the relevant monitor policy. Permission settings are managed in Workspace → Permissions.

  • Is the threshold measured in megabits or megabytes? Megabits per second (Mbps). A 100 Mbps threshold is roughly 12.5 megabytes per second of sustained upload.

  • My alert fires every night at the same time. What's going on? Almost certainly a scheduled job: backups, cloud sync, or an offsite replication task. Either raise the threshold for that device's policy, extend the breach duration past the job's runtime, or move backup servers into their own policy with limits that match their actual workload.

  • What's the difference between threshold and breach duration? Threshold is the upload rate that must be exceeded. Breach duration is how long it must stay exceeded. Both conditions must be met before an alert fires.

  • Does this monitor tell me which interface or process is responsible? The alert payload breaks down the measured upload rate per interface (en0, eth1, and so on), so you'll know which NIC is hot. It doesn't capture the process, destination IP, or port. For that, investigate via Background Management → Processes or your network tooling once the alert fires.

  • Can I use this to detect data exfiltration? It's a useful tripwire, but it's bandwidth-based, not content-aware. Slow, low-rate exfiltration under your threshold won't trigger it. Pair it with sensible thresholds per device class and treat it as one signal, not a DLP replacement.

  • What happens to open alerts if I delete the monitor? Existing alerts remain in place. Deleting a monitor doesn't close alerts it already created. Resolve those manually.

Related Articles
CPU Usage Monitor
Memory Usage Monitor
Disk IOPS Monitor
Disk Throughput Monitor
Network Saturation Monitor
Did this answer your question?