Exfiltration
Rule Name | id | Required data connectors |
---|---|---|
API - BOLA | 1b047dc3-a879-4f99-949b-d1dc867efc83 | 42CrunchAPIProtection |
RDS instance publicly exposed | 8f1630c2-2e45-4df2-be43-50fba90f601d | AWS |
S3 bucket access point publicly exposed | b7a44e0d-ae4c-4fb2-be1b-aa0e45f2327b | AWS |
S3 bucket exposed via ACL | 6b9b4ee6-f4c1-4b86-8c8c-beb0bb59ae44 | AWS |
S3 bucket exposed via policy | 44a5b65e-b0a9-4591-aabc-388fd92a28c4 | AWS |
S3 object publicly exposed | 09f2a28b-3286-4268-9e2f-33805f104e5d | AWS |
Apache - Put suspicious file | c5d69e46-3b00-11ec-8d3d-0242ac130003 | ApacheHTTPServer |
Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
Abnormal Deny Rate for Source IP | d36bb1e3-5abc-4037-ad9a-24ba3469819e | AzureFirewall |
Abnormal Port to Protocol | 826f930c-2f25-4508-8e75-a95b809a4e15 | AzureFirewall |
Multiple Sources Affected by the Same TI Destination | 4644baf7-3464-45dd-bd9d-e07687e25f81 | AzureFirewall |
Response rows stateful anomaly on database | 9851c360-5fd5-4bae-a117-b66d8476bf5e | AzureSql |
Bitglass - Multiple files shared with external entity | 09690f9b-33d1-4372-a6aa-eb7d3b3cdebc | Bitglass |
Bitglass - Suspicious file uploads | 4b272e82-19f1-40d1-bfdf-74fbb6353e8b | Bitglass |
Box - Item shared to external entity | 3b803560-f8a6-4db4-89cb-617d89724ba1 | BoxDataConnector |
Box - File containing sensitive data | 266746ae-5eaf-4068-a980-5d630f435c46 | BoxDataConnector |
Cisco SEG - DLP policy violation | df5c34dd-e1e6-4e07-90b1-4309ebfe754c | CiscoSEG CiscoSEGAma |
Cisco SEG - Multiple large emails sent to external recipient | 1399a9a5-6200-411e-8c34-ca5658754cf7 | CiscoSEG CiscoSEGAma |
Cisco Umbrella - Connection to non-corporate private network | c9b6d281-b96b-4763-b728-9a04b9fe1246 | CiscoUmbrellaDataConnector |
Cisco WSA - Unexpected uploads | 32c460ad-2d40-43e9-8ead-5cdd1d7a3163 | CiscoWSA |
Cisco WSA - Suspected protocol abuse | 6f756792-4888-48a5-97cf-40d9430dc932 | CiscoWSA |
Contrast Blocks | 4396f8c3-d114-4154-9f4c-048ba522ed04 | ContrastProtect ContrastProtectAma |
Contrast Exploits | e1abb6ed-be18-40fd-be58-3d3d84041daf | ContrastProtect ContrastProtectAma |
Contrast Probes | 297596de-d9ae-4fb8-b6ff-00fc01c9462d | ContrastProtect ContrastProtectAma |
Contrast Suspicious | f713404e-805c-4e0c-91fa-2c149f76a07d | ContrastProtect ContrastProtectAma |
Corelight - Multiple Compressed Files Transferred over HTTP | 4e55e306-3022-43a1-870a-41c4d5116079 | Corelight |
Corelight - Multiple files sent over HTTP with abnormal requests | 7226d37b-50ee-4e3b-9f80-5b74080d8f2c | Corelight |
Dev-0270 Malicious Powershell usage | 422ca2bf-598b-4872-82bb-5f7e8fa731e7 | SecurityEvents MicrosoftThreatProtection |
Digital Guardian - Sensitive data transfer over insecure channel | b52cda18-c1af-40e5-91f3-1fcbf9fa267e | DigitalGuardianDLP |
Digital Guardian - Exfiltration using DNS protocol | 39e25deb-49bb-4cdb-89c1-c466d596e2bd | DigitalGuardianDLP |
Digital Guardian - Exfiltration to online fileshare | f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8 | DigitalGuardianDLP |
Digital Guardian - Exfiltration to private email | edead9b5-243a-466b-ae78-2dae32ab1117 | DigitalGuardianDLP |
Digital Guardian - Exfiltration to external domain | a19885c8-1e44-47e3-81df-d1d109f5c92d | DigitalGuardianDLP |
Digital Guardian - Bulk exfiltration to external domain | 5f75a873-b524-4ba5-a3b8-2c20db517148 | DigitalGuardianDLP |
Digital Guardian - Multiple incidents from user | e8901dac-2549-4948-b793-5197a5ed697a | DigitalGuardianDLP |
Digital Guardian - Possible SMTP protocol abuse | a374a933-f6c4-4200-8682-70402a9054dd | DigitalGuardianDLP |
Digital Guardian - Unexpected protocol | a14f2f95-bbd2-4036-ad59-e3aff132b296 | DigitalGuardianDLP |
Digital Guardian - Incident with not blocked action | 07bca129-e7d6-4421-b489-32abade0b6a7 | DigitalGuardianDLP |
Web sites blocked by Eset | 84ad2f8a-b64c-49bc-b669-bdb4fd3071e9 | EsetSMC |
Website blocked by ESET | 7b84fc5b-9ffb-4e9b-945b-5d480e330b3f | ESETPROTECT |
Google DNS - Possible data exfiltration | 705bed63-668f-4508-9d2d-26faf4010700 | GCPDNSDataConnector |
Mail redirect via ExO transport rule | 500415fb-bba7-4227-a08a-9857fb61b6a7 | Office365 |
Multiple users email forwarded to same destination | 871ba14c-88ef-48aa-ad38-810f26760ca3 | Office365 |
SharePointFileOperation via previously unseen IPs | 4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7 | Office365 |
SharePointFileOperation via devices with previously unseen user agents | 5dd76a87-9f87-4576-bab3-268b0e2b338b | Office365 |
Multiple users email forwarded to same destination | a1551ae4-f61c-4bca-9c57-4d0d681db2e9 | Office365 |
Linked Malicious Storage Artifacts | b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d | MicrosoftCloudAppSecurity |
VIP Mailbox manipulation | 5170c3c4-b8c9-485c-910d-a21d965ee181 | ESI-ExchangeAdminAuditLogEvents |
Server Oriented Cmdlet And User Oriented Cmdlet used | 7bce901b-9bc8-4948-8dfc-8f68878092d5 | ESI-ExchangeAdminAuditLogEvents |
Insider Risk_Sensitive Data Access Outside Organizational Geo-location | b81ed294-28cf-48c3-bac8-ac60dcef293b | AzureInformationProtection AzureActiveDirectory |
Mimecast Data Leak Prevention - Hold | 3e12b7b1-75e5-497c-ba01-b6cb30b60d7f | MimecastSIEMAPI |
Mimecast Data Leak Prevention - Notifications | 1818aeaa-4cc8-426b-ba54-539de896d299 | MimecastSIEMAPI |
Mimecast Secure Email Gateway - Attachment Protect | 72264f4f-61fb-4f4f-96c4-635571a376c2 | MimecastSIEMAPI |
Mimecast Secure Email Gateway - Internal Email Protect | 5b66d176-e344-4abf-b915-e5f09a6430ef | MimecastSIEMAPI |
Mimecast Targeted Threat Protection - Impersonation Protect | d8e7eca6-4b59-4069-a31e-a022b2a12ea4 | MimecastTTPAPI |
Anomaly found in Network Session Traffic (ASIM Network Session schema) | cd6def0d-3ef0-4d55-a7e3-faa96c46ba12 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
OracleDBAudit - Connection to database from external IP | 54aa2c17-acfd-4e3a-a1c4-99c88cf34ebe | OracleDatabaseAudit |
Oracle - Put suspicious file | edc2f2b4-573f-11ec-bf63-0242ac130002 | OracleWebLogicServer |
Palo Alto Threat signatures from Unusual IP addresses | 89a86f70-615f-4a79-9621-6f68c50f365f | PaloAltoNetworks PaloAltoNetworksAma |
ProofpointPOD - Email sender in TI list | 35a0792a-1269-431e-ac93-7ae2980d4dde | ThreatIntelligence ThreatIntelligenceTaxii ProofpointPOD |
ProofpointPOD - Email sender IP in TI list | 78979d32-e63f-4740-b206-cfb300c735e0 | ThreatIntelligence ThreatIntelligenceTaxii ProofpointPOD |
ProofpointPOD - Multiple archived attachments to the same recipient | bda5a2bd-979b-4828-a91f-27c2a5048f7f | ProofpointPOD |
ProofpointPOD - Multiple large emails to the same recipient | d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32 | ProofpointPOD |
ProofpointPOD - Multiple protected emails to unknown recipient | f8127962-7739-4211-a4a9-390a7a00e91f | ProofpointPOD |
Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
Threat Essentials - Mail redirect via ExO transport rule | d7c575b2-84f5-48cb-92c5-70d7e8246284 | Office365 |
Threat Essentials - Time series anomaly for data size transferred to public internet | b49a1093-cbf6-4973-89ac-2eef98f533c6 | CiscoASA PaloAltoNetworks AzureMonitor(VMInsights) |
Third party integrated apps | BFA7EE22-B5A9-42C8-BD50-2E95885640BB | SenservaPro |
SlackAudit - Multiple archived files uploaded in short period of time | 3db0cb83-5fa4-4310-a8a0-d8d66183f0bd | SlackAuditAPI |
SlackAudit - Public link created for file which can contain sensitive information. | 279316e8-8965-47d2-9788-b94dc352c853 | SlackAuditAPI |
Trend Micro CAS - DLP violation | 1ddeb8ad-cad9-4db4-b074-f9da003ca3ed | TrendMicroCAS |
Ubiquiti - Connection to known malicious IP or C2 | db60ca0b-b668-439b-b889-b63b57ef20fb | UbiquitiUnifi |
Ubiquiti - Unusual FTP connection to external server | fd200125-9d57-4838-85ca-6430c63e4e5d | UbiquitiUnifi |
Ubiquiti - Large ICMP to external server | 6df85d74-e32f-4b71-80e5-bfe2af00be1c | UbiquitiUnifi |
Ubiquiti - connection to non-corporate DNS server | fe232837-9bdc-4e2b-8c08-cdac2610eed3 | UbiquitiUnifi |
Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | AIVectraDetect |
Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | AIVectraDetect |
Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | AIVectraDetect |
Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | AIVectraDetect |
Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | AIVectraDetect |
Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | AIVectraDetect |
Detect unauthorized data transfers using timeseries anomaly (ASIM Web Session) | 5965d3e7-8ed0-477c-9b42-e75d9237fab0 | |
Detect presence of private IP addresses in URLs (ASIM Web Session) | e3a7722a-e099-45a9-9afb-6618e8f05405 | |
DNS events related to ToR proxies | a83ef0f4-dace-4767-bce3-ebd32599d2a0 | DNS |
DNS events related to ToR proxies (ASIM DNS Schema) | 3fe3c520-04f1-44b8-8398-782ed21435f8 | DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
Cisco Umbrella - Connection to non-corporate private network | c9b6d281-b96b-4763-b728-9a04b9fe1246 | CiscoUmbrellaDataConnector |
CreepyDrive request URL sequence | eda260eb-f4a1-4379-ad98-452604da9b3e | Zscaler Fortinet CheckPoint PaloAltoNetworks |
CreepyDrive URLs | b6d03b88-4d27-49a2-9c1c-29f1ad2842dc | Zscaler Fortinet CheckPoint PaloAltoNetworks |
RunningRAT request parameters | baedfdf4-7cc8-45a1-81a9-065821628b83 | Zscaler Fortinet CheckPoint PaloAltoNetworks |
Time series anomaly detection for total volume of traffic | 06a9b845-6a95-4432-a78b-83919b28c375 | Barracuda CEF CheckPoint CiscoASA F5 Fortinet PaloAltoNetworks |
Users searching for VIP user activity | f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e | |
IP address of Windows host encoded in web request | a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc | Zscaler Fortinet CheckPoint PaloAltoNetworks MicrosoftThreatProtection |
Windows host username encoded in base64 web request | 6e715730-82c0-496c-983b-7a20c4590bd9 | Zscaler Fortinet CheckPoint PaloAltoNetworks MicrosoftThreatProtection |
Time series anomaly for data size transferred to public internet | f2dd4a3a-ebac-4994-9499-1a859938c947 | CiscoASA PaloAltoNetworks AzureMonitor(VMInsights) |
Unauthorized user access across AWS and Azure | 60f31001-018a-42bf-8045-a92e1f361b7b | AzureActiveDirectory AWSS3 |
NRT Multiple users email forwarded to same destination | 3b05727d-a8d1-477d-bbdd-d957da96ac7b | Office365 |
Mass Download & copy to USB device by single user | 6267ce44-1e9d-471b-9f1e-ae76a6b7aa84 | MicrosoftCloudAppSecurity MicrosoftThreatProtection |