Hey all! anyone doing anything cool for monitoring data exfiltration?

Hi, not directly related to your question, but this article was pretty interesting for me https://clo.ng/blog/osquery_reverse_shell/ Also, evented tables like process_events or socket_events are my favorite ways to track suspicious outbound connections or processes that run for a very short time and can't be detected using something like "ps" or "netstat" commands.