During routine monitoring, the SIEM detects an unusual spike in outbound data transfer from a...

This alert is generated because the activity deviates significantly from the server’s established baseline, which is the hallmark of anomaly-based detection. The SIEM is not matching a known signature (so it is not signature-based), and the prompt emphasizes “deviations from normal behavior profile,” which typically means statistical profiling, baselining, or behavior analytics detecting outliers in volume, timing, destination, or frequency. While rule-based detections can also trigger on thresholds, the question explicitly frames the logic as “normal behavior profile,” which implies adaptive baselines rather than a fixed rule alone. Heuristic detection refers to generalized patterns or suspicion scoring, but here the core mechanism is abnormality versus historical norms (5 MB/hour typical vs 500 MB in 10 minutes). From a SOC triage perspective, anomaly alerts require quick validation: confirm the external destination reputation/ownership, verify whether the transfer aligns with authorized jobs, check change tickets, and correlate with authentication/process activity on the database host. Anomaly-based detection is especially valuable for data exfiltration because attackers can avoid known signatures, but they often struggle to mimic normal data movement patterns at scale.