Egress Monitoring

Aurva Egress Monitoring provides visibility into data leaving your environment. It captures outbound connections from application workloads, classifies the destination, and detects when sensitive data is included in the payload.

How It Works

1. Capture -- The data-plane agent (eBPF or network tap) observes outbound connections from monitored workloads.
2. Resolve -- Destination IPs are resolved to domain names and enriched with threat intelligence and vendor classification.
3. Classify -- Aurva categorises the destination (SaaS vendor, cloud storage, analytics, AI/ML, social media, unknown).
4. Inspect -- Payload samples are checked for sensitive data patterns (PII, PCI, PHI) using the same classifiers as DSPM.
5. Record -- Each flow is logged with source service, destination, data sensitivity, volume, and timestamp.

Destination Classification

Category	Examples
Cloud Storage	AWS S3, GCS, Azure Blob
SaaS / Collaboration	Slack, Google Workspace, Salesforce
AI / ML	OpenAI, Anthropic, HuggingFace, Bedrock
Analytics	Segment, Mixpanel, Amplitude
Threat / Unknown	Unresolved IPs, newly registered domains

Data Sensitivity Detection

When Aurva detects sensitive data patterns in outbound payloads, the flow is tagged with the matching classifiers (e.g. PAN, Aadhaar, Email). This lets you build policies that fire only when sensitive data is being exfiltrated, reducing alert fatigue.

Volume Tracking

Egress Monitoring tracks byte volume per destination per service over time. Use this to:

• Spot abnormal spikes in data transfer to a single vendor
• Identify services sending disproportionately large payloads
• Baseline normal egress patterns for anomaly detection

Creating Policies

Use External Activity Policies to define rules such as:

• Block or alert on any connection to an AI/ML domain carrying PII
• Alert when daily egress to an unknown domain exceeds a threshold
• Notify when a new destination appears for the first time