Exfiltration
| Rule Name | id | Required data connectors |
|---|---|---|
| API - BOLA | 1b047dc3-a879-4f99-949b-d1dc867efc83 | 42CrunchAPIProtection |
| RDS instance publicly exposed | 8f1630c2-2e45-4df2-be43-50fba90f601d | AWS |
| S3 bucket access point publicly exposed | b7a44e0d-ae4c-4fb2-be1b-aa0e45f2327b | AWS |
| S3 bucket exposed via ACL | 6b9b4ee6-f4c1-4b86-8c8c-beb0bb59ae44 | AWS |
| S3 bucket exposed via policy | 44a5b65e-b0a9-4591-aabc-388fd92a28c4 | AWS |
| S3 object publicly exposed | 09f2a28b-3286-4268-9e2f-33805f104e5d | AWS |
| Apache - Put suspicious file | c5d69e46-3b00-11ec-8d3d-0242ac130003 | CustomLogsAma |
| Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
| CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses | 89a86f70-615f-4a79-9621-6f68c50f365f | AzureCloudNGFWByPaloAltoNetworks |
| Abnormal Deny Rate for Source IP | d36bb1e3-5abc-4037-ad9a-24ba3469819e | AzureFirewall |
| Abnormal Port to Protocol | 826f930c-2f25-4508-8e75-a95b809a4e15 | AzureFirewall |
| Multiple Sources Affected by the Same TI Destination | 4644baf7-3464-45dd-bd9d-e07687e25f81 | AzureFirewall |
| Response rows stateful anomaly on database | 9851c360-5fd5-4bae-a117-b66d8476bf5e | AzureSql |
| Bitglass - Multiple files shared with external entity | 09690f9b-33d1-4372-a6aa-eb7d3b3cdebc | Bitglass |
| Bitglass - Suspicious file uploads | 4b272e82-19f1-40d1-bfdf-74fbb6353e8b | Bitglass |
| Box - Item shared to external entity | 3b803560-f8a6-4db4-89cb-617d89724ba1 | BoxDataConnector |
| Box - File containing sensitive data | 266746ae-5eaf-4068-a980-5d630f435c46 | BoxDataConnector |
| Cisco SEG - DLP policy violation | df5c34dd-e1e6-4e07-90b1-4309ebfe754c | CefAma |
| Cisco SEG - Multiple large emails sent to external recipient | 1399a9a5-6200-411e-8c34-ca5658754cf7 | CefAma |
| Cisco Umbrella - Connection to non-corporate private network | c9b6d281-b96b-4763-b728-9a04b9fe1246 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Connection to Unpopular Website Detected | 75297f62-10a8-4fc1-9b2a-12f25c6f05a7 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Crypto Miner User-Agent Detected | b619d1f1-7f39-4c7e-bf9e-afbb46457997 | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Hack Tool User-Agent Detected | 8d537f3c-094f-430c-a588-8a87da36ee3a | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Rare User Agent Detected | 8c8de3fa-6425-4623-9cd9-45de1dd0569a | CiscoUmbrellaDataConnector |
| Cisco Umbrella - Request Allowed to harmful/malicious URI category | d6bf1931-b1eb-448d-90b2-de118559c7ce | CiscoUmbrellaDataConnector |
| Cisco Umbrella - URI contains IP address | ee1818ec-5f65-4991-b711-bcf2ab7e36c3 | CiscoUmbrellaDataConnector |
| Cisco WSA - Unexpected uploads | 32c460ad-2d40-43e9-8ead-5cdd1d7a3163 | SyslogAma |
| Cisco WSA - Suspected protocol abuse | 6f756792-4888-48a5-97cf-40d9430dc932 | SyslogAma |
| Contrast Blocks | 4396f8c3-d114-4154-9f4c-048ba522ed04 | ContrastProtect ContrastProtectAma CefAma |
| Contrast Exploits | e1abb6ed-be18-40fd-be58-3d3d84041daf | ContrastProtect ContrastProtectAma CefAma |
| Contrast Probes | 297596de-d9ae-4fb8-b6ff-00fc01c9462d | ContrastProtect ContrastProtectAma CefAma |
| Contrast Suspicious | f713404e-805c-4e0c-91fa-2c149f76a07d | ContrastProtect ContrastProtectAma CefAma |
| Corelight - Multiple Compressed Files Transferred over HTTP | 4e55e306-3022-43a1-870a-41c4d5116079 | Corelight |
| Corelight - Multiple files sent over HTTP with abnormal requests | 7226d37b-50ee-4e3b-9f80-5b74080d8f2c | Corelight |
| Dev-0270 Malicious Powershell usage | 422ca2bf-598b-4872-82bb-5f7e8fa731e7 | SecurityEvents WindowsSecurityEvents MicrosoftThreatProtection |
| Digital Guardian - Sensitive data transfer over insecure channel | b52cda18-c1af-40e5-91f3-1fcbf9fa267e | SyslogAma |
| Digital Guardian - Exfiltration using DNS protocol | 39e25deb-49bb-4cdb-89c1-c466d596e2bd | SyslogAma |
| Digital Guardian - Exfiltration to online fileshare | f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8 | SyslogAma |
| Digital Guardian - Exfiltration to private email | edead9b5-243a-466b-ae78-2dae32ab1117 | SyslogAma |
| Digital Guardian - Exfiltration to external domain | a19885c8-1e44-47e3-81df-d1d109f5c92d | SyslogAma |
| Digital Guardian - Bulk exfiltration to external domain | 5f75a873-b524-4ba5-a3b8-2c20db517148 | SyslogAma |
| Digital Guardian - Multiple incidents from user | e8901dac-2549-4948-b793-5197a5ed697a | SyslogAma |
| Digital Guardian - Possible SMTP protocol abuse | a374a933-f6c4-4200-8682-70402a9054dd | SyslogAma |
| Digital Guardian - Unexpected protocol | a14f2f95-bbd2-4036-ad59-e3aff132b296 | SyslogAma |
| Digital Guardian - Incident with not blocked action | 07bca129-e7d6-4421-b489-32abade0b6a7 | SyslogAma |
| Web sites blocked by Eset | 84ad2f8a-b64c-49bc-b669-bdb4fd3071e9 | EsetSMC |
| Website blocked by ESET | 7b84fc5b-9ffb-4e9b-945b-5d480e330b3f | ESETPROTECT SyslogAma |
| GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule | edcfc2e0-3134-434c-8074-9101c530d419 | Office365 AzureActiveDirectory |
| GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination | d75e8289-d1cb-44d4-bd59-2f44a9172478 | AzureActiveDirectory Office365 |
| GSA Enriched Office 365 - SharePoint File Operation via Previously Unseen IPs | 7460e34e-4c99-47b2-b7c0-c42e339fc586 | AzureActiveDirectory Office365 |
| GSA Enriched Office 365 - SharePointFileOperation via devices with previously unseen user agents | efd17c5f-5167-40f8-a1e9-0818940785d9 | AzureActiveDirectory Office365 |
| GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold | 30375d00-68cc-4f95-b89a-68064d566358 | AzureActiveDirectory Office365 |
| GSA Enriched Office 365 - Sharepoint File Transfer Above Threshold | abd6976d-8f71-4851-98c4-4d086201319c | AzureActiveDirectory Office365 |
| GSA - Detect Abnormal Deny Rate for Source to Destination IP | e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b | AzureActiveDirectory |
| GSA - Detect Protocol Changes for Destination Ports | f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a | AzureActiveDirectory |
| GSA Enriched Office 365 - Multiple Users Email Forwarded to Same Destination | a1551ae4-f61c-4bca-9c57-4d0d681db2e9 | AzureActiveDirectory |
| GSA Enriched Office 365 -SharePointFileOperation via devices with previously unseen user agents | f2367171-1514-4c67-88ef-27434b6a1093 | AzureActiveDirectory |
| GSA Enriched Office 365 - Office Mail Forwarding - Hunting Version | d49fc965-aef3-49f6-89ad-10cc4697eb5b | AzureActiveDirectory |
| Google DNS - Possible data exfiltration | 705bed63-668f-4508-9d2d-26faf4010700 | GCPDNSDataConnector |
| Mail redirect via ExO transport rule | 500415fb-bba7-4227-a08a-9857fb61b6a7 | Office365 |
| Multiple users email forwarded to same destination | 871ba14c-88ef-48aa-ad38-810f26760ca3 | Office365 |
| SharePointFileOperation via previously unseen IPs | 4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7 | Office365 |
| SharePointFileOperation via devices with previously unseen user agents | 5dd76a87-9f87-4576-bab3-268b0e2b338b | Office365 |
| Office365 Sharepoint File transfer above threshold | 8b4f03e7-3460-4401-824d-e65a8dd464f0 | Office365 |
| Office365 Sharepoint File transfer Folders above threshold | 8a547285-801c-4290-aa2e-5e7e20ca157d | Office365 |
| Multiple users email forwarded to same destination | a1551ae4-f61c-4bca-9c57-4d0d681db2e9 | Office365 |
| Dataverse - Export activity from terminated or notified employee | 0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b | Dataverse |
| Dataverse - Guest user exfiltration following Power Platform defense impairment | 39efbf4b-b347-4cc7-895e-99a868bf29ea | PowerPlatformAdmin AzureActiveDirectory AzureActiveDirectoryIdentityProtection |
| Dataverse - Honeypot instance activity | 11650b85-d8cc-49c4-8c04-a8a739635983 | Dataverse |
| Dataverse - Mass download from SharePoint document management | 95e02f1b-5886-4043-8f0e-a42e6e23330f | Office365 |
| Dataverse - Mass export of records to Excel | 57000f0d-ff5d-4166-94b6-aa5fb62b16ec | Dataverse |
| Dataverse - SharePoint document management site added or updated | c4c3510a-0ee0-4561-9835-47882ffa7f46 | Dataverse |
| Dataverse - Suspicious use of TDS endpoint | d875af10-6bb9-4d6a-a6e4-78439a98bf4b | Dataverse AzureActiveDirectoryIdentityProtection |
| Dataverse - Suspicious use of Web API | 8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86 | Dataverse AzureActiveDirectory |
| Dataverse - Terminated employee exfiltration over email | de039242-47e0-43fa-84d7-b6be24305349 | MicrosoftThreatProtection AzureActiveDirectoryIdentityProtection IdentityInfo |
| Dataverse - Terminated employee exfiltration to USB drive | c5e75cb6-cea0-49c2-a998-da414035aac1 | Dataverse MicrosoftThreatProtection |
| Dataverse - User bulk retrieval outside normal activity | 08cb7ffc-59c6-4e7d-88e0-327371c9431b | Dataverse |
| Power Automate - Departing employee flow activity | b1e11b8c-545a-4dea-a912-0008e160d183 | PowerAutomate |
| Power Platform - Connector added to a sensitive environment | 886a5655-3d12-42f1-8927-4095789c575e | PowerPlatformAdmin |
| Linked Malicious Storage Artifacts | b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d | MicrosoftCloudAppSecurity |
| Deimos Component Execution | c25a8cd4-5b4a-45a8-9ba0-3b753a652f6b | MicrosoftThreatProtection |
| Bitsadmin Activity | 2a1dc4c2-a8d6-4a0e-8539-9b971c851195 | MicrosoftThreatProtection |
| Files Copied to USB Drives | 3ab04acf-e0e7-4f7c-8995-748ab4c848c2 | MicrosoftThreatProtection |
| VIP Mailbox manipulation | 5170c3c4-b8c9-485c-910d-a21d965ee181 | ESI-ExchangeAdminAuditLogEvents |
| Server Oriented Cmdlet And User Oriented Cmdlet used | 7bce901b-9bc8-4948-8dfc-8f68878092d5 | ESI-ExchangeAdminAuditLogEvents |
| Insider Risk_Sensitive Data Access Outside Organizational Geo-location | b81ed294-28cf-48c3-bac8-ac60dcef293b | AzureInformationProtection AzureActiveDirectory |
| Mimecast Secure Email Gateway - Attachment Protect | 72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2 | MimecastSEGAPI |
| Mimecast Secure Email Gateway - Internal Email Protect | d3bd7640-3600-49f9-8d10-6fe312e68b4f | MimecastSEGAPI |
| Mimecast Data Leak Prevention - Hold | 8e52bcf1-4f50-4c39-8678-d9efad64e379 | MimecastSEGAPI |
| Mimecast Data Leak Prevention - Notifications | cfd67598-ad0d-430a-a793-027eb4dbe967 | MimecastSEGAPI |
| Mimecast Targeted Threat Protection - Impersonation Protect | c048fa06-0d50-4626-ae82-a6cea812d9c4 | MimecastTTPAPI |
| Mimecast Data Leak Prevention - Hold | 3e12b7b1-75e5-497c-ba01-b6cb30b60d7f | MimecastSIEMAPI |
| Mimecast Data Leak Prevention - Notifications | 1818aeaa-4cc8-426b-ba54-539de896d299 | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - Attachment Protect | 72264f4f-61fb-4f4f-96c4-635571a376c2 | MimecastSIEMAPI |
| Mimecast Secure Email Gateway - Internal Email Protect | 5b66d176-e344-4abf-b915-e5f09a6430ef | MimecastSIEMAPI |
| Mimecast Targeted Threat Protection - Impersonation Protect | d8e7eca6-4b59-4069-a31e-a022b2a12ea4 | MimecastTTPAPI |
| Unauthorized user access across AWS and Azure | 60f31001-018a-42bf-8045-a92e1f361b7b | AzureActiveDirectory AWSS3 |
| Anomaly found in Network Session Traffic (ASIM Network Session schema) | cd6def0d-3ef0-4d55-a7e3-faa96c46ba12 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
| OracleDBAudit - Connection to database from external IP | 54aa2c17-acfd-4e3a-a1c4-99c88cf34ebe | SyslogAma |
| Oracle - Put suspicious file | edc2f2b4-573f-11ec-bf63-0242ac130002 | CustomLogsAma |
| Palo Alto Threat signatures from Unusual IP addresses | 89a86f70-615f-4a79-9621-6f68c50f365f | CefAma |
| ProofpointPOD - Email sender in TI list | 35a0792a-1269-431e-ac93-7ae2980d4dde | ThreatIntelligence ThreatIntelligenceTaxii ProofpointPOD |
| ProofpointPOD - Email sender IP in TI list | 78979d32-e63f-4740-b206-cfb300c735e0 | ThreatIntelligence ThreatIntelligenceTaxii ProofpointPOD |
| ProofpointPOD - Multiple archived attachments to the same recipient | bda5a2bd-979b-4828-a91f-27c2a5048f7f | ProofpointPOD |
| ProofpointPOD - Multiple large emails to the same recipient | d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32 | ProofpointPOD |
| ProofpointPOD - Multiple protected emails to unknown recipient | f8127962-7739-4211-a4a9-390a7a00e91f | ProofpointPOD |
| Radiflow - Platform Alert | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 | RadiflowIsid |
| RecordedFuture Threat Hunting IP All Actors | e31bc14e-2b4c-42a4-af34-5bfd7d768aea | ThreatIntelligenceUploadIndicatorsAPI |
| Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
| Threat Essentials - Mail redirect via ExO transport rule | d7c575b2-84f5-48cb-92c5-70d7e8246284 | Office365 |
| Threat Essentials - Time series anomaly for data size transferred to public internet | b49a1093-cbf6-4973-89ac-2eef98f533c6 | CiscoASA CiscoAsaAma PaloAltoNetworks AzureMonitor(VMInsights) |
| Third party integrated apps | BFA7EE22-B5A9-42C8-BD50-2E95885640BB | SenservaPro |
| SlackAudit - Multiple archived files uploaded in short period of time | 3db0cb83-5fa4-4310-a8a0-d8d66183f0bd | SlackAuditAPI |
| SlackAudit - Public link created for file which can contain sensitive information. | 279316e8-8965-47d2-9788-b94dc352c853 | SlackAuditAPI |
| SonicWall - Allowed SSH, Telnet, and RDP Connections | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 | CEF SonicWallFirewall CefAma |
| New Sonrai Ticket | bcc3362d-b6f9-4de0-b41c-707fafd5a416 | SonraiDataConnector |
| Sonrai Ticket Assigned | 37a8d052-a3db-4dc6-9dca-9390cac6f486 | SonraiDataConnector |
| Sonrai Ticket Closed | f5d467de-b5a2-4b4f-96db-55e27c733594 | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca | SonraiDataConnector |
| Sonrai Ticket Escalation Executed | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a | SonraiDataConnector |
| Sonrai Ticket Reopened | b60129ab-ce22-4b76-858d-3204932a13cc | SonraiDataConnector |
| Sonrai Ticket Risk Accepted | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 | SonraiDataConnector |
| Sonrai Ticket Snoozed | 10e6c454-5cad-4f86-81ce-800235cb050a | SonraiDataConnector |
| Sonrai Ticket Updated | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 | SonraiDataConnector |
| Excessive Blocked Traffic Events Generated by User | fa0ab69c-7124-4f62-acdd-61017cf6ce89 | SyslogAma |
| SFTP File transfer above threshold | bb6a74c8-889d-4c6e-8412-7d5efe33f4ed | Syslog SyslogAma |
| SFTP File transfer folder count above threshold | 7355434e-09d5-4401-b56d-e03e9379dfb1 | Syslog SyslogAma |
| Theom Critical Risks | bb9051ef-0e72-4758-a143-80c25ee452f0 | Theom |
| Theom High Risks | 74b80987-0a62-448c-8779-47b02e17d3cf | Theom |
| Theom Insights | d200da84-0191-44ce-ad9e-b85e64c84c89 | Theom |
| Theom Low Risks | cf7fb616-ac80-40ce-ad18-aa18912811f8 | Theom |
| Theom Medium Risks | 4cb34832-f73a-49f2-8d38-c2d135c5440b | Theom |
| Trend Micro CAS - DLP violation | 1ddeb8ad-cad9-4db4-b074-f9da003ca3ed | TrendMicroCAS |
| Ubiquiti - Connection to known malicious IP or C2 | db60ca0b-b668-439b-b889-b63b57ef20fb | CustomLogsAma |
| Ubiquiti - Unusual FTP connection to external server | fd200125-9d57-4838-85ca-6430c63e4e5d | CustomLogsAma |
| Ubiquiti - Large ICMP to external server | 6df85d74-e32f-4b71-80e5-bfe2af00be1c | CustomLogsAma |
| Ubiquiti - connection to non-corporate DNS server | fe232837-9bdc-4e2b-8c08-cdac2610eed3 | CustomLogsAma |
| Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | CefAma |
| Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | CefAma |
| Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | CefAma |
| Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | CefAma |
| Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | CefAma |
| Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | CefAma |
| Detect unauthorized data transfers using timeseries anomaly (ASIM Web Session) | 5965d3e7-8ed0-477c-9b42-e75d9237fab0 | |
| Detect presence of private IP addresses in URLs (ASIM Web Session) | e3a7722a-e099-45a9-9afb-6618e8f05405 | |
| Progress MOVEIt File transfer above threshold | 9bd18b63-f1ca-4375-95db-39fda00bfe20 | WindowsForwardedEvents |
| Progress MOVEIt File transfer folder count above threshold | 26a993ca-0a96-45a0-8405-05a210fb98f8 | WindowsForwardedEvents |
| DNS events related to ToR proxies | a83ef0f4-dace-4767-bce3-ebd32599d2a0 | DNS |
| DNS events related to ToR proxies (ASIM DNS Schema) | 3fe3c520-04f1-44b8-8398-782ed21435f8 | DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
| A host is potentially running a hacking tool (ASIM Web Session schema) | 3f0c20d5-6228-48ef-92f3-9ff7822c1954 | SquidProxy Zscaler |
| Cisco Umbrella - Connection to non-corporate private network | c9b6d281-b96b-4763-b728-9a04b9fe1246 | CiscoUmbrellaDataConnector |
| CreepyDrive request URL sequence | eda260eb-f4a1-4379-ad98-452604da9b3e | Zscaler Fortinet CheckPoint PaloAltoNetworks |
| CreepyDrive URLs | b6d03b88-4d27-49a2-9c1c-29f1ad2842dc | Zscaler Fortinet CheckPoint PaloAltoNetworks |
| RunningRAT request parameters | baedfdf4-7cc8-45a1-81a9-065821628b83 | Zscaler Fortinet CheckPoint PaloAltoNetworks |
| Time series anomaly detection for total volume of traffic | 06a9b845-6a95-4432-a78b-83919b28c375 | Barracuda CEF CheckPoint CiscoASA F5 Fortinet PaloAltoNetworks |
| Users searching for VIP user activity | f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e | |
| IP address of Windows host encoded in web request | a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc | Zscaler Fortinet CheckPoint PaloAltoNetworks MicrosoftThreatProtection |
| Windows host username encoded in base64 web request | 6e715730-82c0-496c-983b-7a20c4590bd9 | Zscaler Fortinet CheckPoint PaloAltoNetworks MicrosoftThreatProtection |
| Time series anomaly for data size transferred to public internet | f2dd4a3a-ebac-4994-9499-1a859938c947 | CiscoASA PaloAltoNetworks AzureMonitor(VMInsights) |
| NRT Multiple users email forwarded to same destination | 3b05727d-a8d1-477d-bbdd-d957da96ac7b | Office365 |
| Mass Download & copy to USB device by single user | 6267ce44-1e9d-471b-9f1e-ae76a6b7aa84 | MicrosoftCloudAppSecurity MicrosoftThreatProtection |