Exfiltration
Rule Name | id | Required data connectors |
---|---|---|
API - BOLA | 1b047dc3-a879-4f99-949b-d1dc867efc83 | 42CrunchAPIProtection |
RDS instance publicly exposed | 8f1630c2-2e45-4df2-be43-50fba90f601d | AWS |
S3 bucket access point publicly exposed | b7a44e0d-ae4c-4fb2-be1b-aa0e45f2327b | AWS |
S3 bucket exposed via ACL | 6b9b4ee6-f4c1-4b86-8c8c-beb0bb59ae44 | AWS |
S3 bucket exposed via policy | 44a5b65e-b0a9-4591-aabc-388fd92a28c4 | AWS |
S3 object publicly exposed | 09f2a28b-3286-4268-9e2f-33805f104e5d | AWS |
Apache - Put suspicious file | c5d69e46-3b00-11ec-8d3d-0242ac130003 | ApacheHTTPServer CustomLogsAma |
Powershell Empire Cmdlets Executed in Command Line | ef88eb96-861c-43a0-ab16-f3835a97c928 | SecurityEvents WindowsSecurityEvents WindowsForwardedEvents |
CloudNGFW By Palo Alto Networks - Threat signatures from Unusual IP addresses | 89a86f70-615f-4a79-9621-6f68c50f365f | CloudNgfwByPAN |
Abnormal Deny Rate for Source IP | d36bb1e3-5abc-4037-ad9a-24ba3469819e | AzureFirewall |
Abnormal Port to Protocol | 826f930c-2f25-4508-8e75-a95b809a4e15 | AzureFirewall |
Multiple Sources Affected by the Same TI Destination | 4644baf7-3464-45dd-bd9d-e07687e25f81 | AzureFirewall |
Response rows stateful anomaly on database | 9851c360-5fd5-4bae-a117-b66d8476bf5e | AzureSql |
Bitglass - Multiple files shared with external entity | 09690f9b-33d1-4372-a6aa-eb7d3b3cdebc | Bitglass |
Bitglass - Suspicious file uploads | 4b272e82-19f1-40d1-bfdf-74fbb6353e8b | Bitglass |
Box - Item shared to external entity | 3b803560-f8a6-4db4-89cb-617d89724ba1 | BoxDataConnector |
Box - File containing sensitive data | 266746ae-5eaf-4068-a980-5d630f435c46 | BoxDataConnector |
Cisco SEG - DLP policy violation | df5c34dd-e1e6-4e07-90b1-4309ebfe754c | CiscoSEG CiscoSEGAma CefAma |
Cisco SEG - Multiple large emails sent to external recipient | 1399a9a5-6200-411e-8c34-ca5658754cf7 | CiscoSEG CiscoSEGAma CefAma |
Cisco Umbrella - Connection to non-corporate private network | c9b6d281-b96b-4763-b728-9a04b9fe1246 | CiscoUmbrellaDataConnector |
Cisco Umbrella - Connection to Unpopular Website Detected | 75297f62-10a8-4fc1-9b2a-12f25c6f05a7 | CiscoUmbrellaDataConnector |
Cisco Umbrella - Crypto Miner User-Agent Detected | b619d1f1-7f39-4c7e-bf9e-afbb46457997 | CiscoUmbrellaDataConnector |
Cisco Umbrella - Hack Tool User-Agent Detected | 8d537f3c-094f-430c-a588-8a87da36ee3a | CiscoUmbrellaDataConnector |
Cisco Umbrella - Rare User Agent Detected | 8c8de3fa-6425-4623-9cd9-45de1dd0569a | CiscoUmbrellaDataConnector |
Cisco Umbrella - Request Allowed to harmful/malicious URI category | d6bf1931-b1eb-448d-90b2-de118559c7ce | CiscoUmbrellaDataConnector |
Cisco Umbrella - URI contains IP address | ee1818ec-5f65-4991-b711-bcf2ab7e36c3 | CiscoUmbrellaDataConnector |
Cisco WSA - Unexpected uploads | 32c460ad-2d40-43e9-8ead-5cdd1d7a3163 | CiscoWSA SyslogAma |
Cisco WSA - Suspected protocol abuse | 6f756792-4888-48a5-97cf-40d9430dc932 | CiscoWSA SyslogAma |
Contrast Blocks | 4396f8c3-d114-4154-9f4c-048ba522ed04 | ContrastProtect ContrastProtectAma CefAma |
Contrast Exploits | e1abb6ed-be18-40fd-be58-3d3d84041daf | ContrastProtect ContrastProtectAma CefAma |
Contrast Probes | 297596de-d9ae-4fb8-b6ff-00fc01c9462d | ContrastProtect ContrastProtectAma CefAma |
Contrast Suspicious | f713404e-805c-4e0c-91fa-2c149f76a07d | ContrastProtect ContrastProtectAma CefAma |
Corelight - Multiple Compressed Files Transferred over HTTP | 4e55e306-3022-43a1-870a-41c4d5116079 | Corelight |
Corelight - Multiple files sent over HTTP with abnormal requests | 7226d37b-50ee-4e3b-9f80-5b74080d8f2c | Corelight |
Dev-0270 Malicious Powershell usage | 422ca2bf-598b-4872-82bb-5f7e8fa731e7 | SecurityEvents WindowsSecurityEvents MicrosoftThreatProtection |
Digital Guardian - Sensitive data transfer over insecure channel | b52cda18-c1af-40e5-91f3-1fcbf9fa267e | DigitalGuardianDLP SyslogAma |
Digital Guardian - Exfiltration using DNS protocol | 39e25deb-49bb-4cdb-89c1-c466d596e2bd | DigitalGuardianDLP SyslogAma |
Digital Guardian - Exfiltration to online fileshare | f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8 | DigitalGuardianDLP SyslogAma |
Digital Guardian - Exfiltration to private email | edead9b5-243a-466b-ae78-2dae32ab1117 | DigitalGuardianDLP SyslogAma |
Digital Guardian - Exfiltration to external domain | a19885c8-1e44-47e3-81df-d1d109f5c92d | DigitalGuardianDLP SyslogAma |
Digital Guardian - Bulk exfiltration to external domain | 5f75a873-b524-4ba5-a3b8-2c20db517148 | DigitalGuardianDLP SyslogAma |
Digital Guardian - Multiple incidents from user | e8901dac-2549-4948-b793-5197a5ed697a | DigitalGuardianDLP SyslogAma |
Digital Guardian - Possible SMTP protocol abuse | a374a933-f6c4-4200-8682-70402a9054dd | DigitalGuardianDLP SyslogAma |
Digital Guardian - Unexpected protocol | a14f2f95-bbd2-4036-ad59-e3aff132b296 | DigitalGuardianDLP SyslogAma |
Digital Guardian - Incident with not blocked action | 07bca129-e7d6-4421-b489-32abade0b6a7 | DigitalGuardianDLP SyslogAma |
Web sites blocked by Eset | 84ad2f8a-b64c-49bc-b669-bdb4fd3071e9 | EsetSMC |
Website blocked by ESET | 7b84fc5b-9ffb-4e9b-945b-5d480e330b3f | ESETPROTECT SyslogAma |
Office 365 - Mail redirect via ExO transport rule | edcfc2e0-3134-434c-8074-9101c530d419 | AzureActiveDirectory |
Office 365 - Multiple Users Email Forwarded to Same Destination | d75e8289-d1cb-44d4-bd59-2f44a9172478 | AzureActiveDirectory |
Office 365 - SharePoint File Operation via Previously Unseen IPs | 7460e34e-4c99-47b2-b7c0-c42e339fc586 | AzureActiveDirectory |
Office 365 - SharePointFileOperation via devices with previously unseen user agents | efd17c5f-5167-40f8-a1e9-0818940785d9 | AzureActiveDirectory |
Office 365 - Sharepoint File Transfer Above Threshold | 30375d00-68cc-4f95-b89a-68064d566358 | AzureActiveDirectory |
Office 365 - Sharepoint File Transfer Above Threshold | abd6976d-8f71-4851-98c4-4d086201319c | AzureActiveDirectory |
Detect Abnormal Deny Rate for Source to Destination IP | e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b | AzureActiveDirectory |
Detect Protocol Changes for Destination Ports | f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a | AzureActiveDirectory |
Multiple Users Email Forwarded to Same Destination | a1551ae4-f61c-4bca-9c57-4d0d681db2e9 | AzureActiveDirectory |
SharePointFileOperation via devices with previously unseen user agents | f2367171-1514-4c67-88ef-27434b6a1093 | AzureActiveDirectory |
Office Mail Forwarding - Hunting Version | d49fc965-aef3-49f6-89ad-10cc4697eb5b | AzureActiveDirectory |
Google DNS - Possible data exfiltration | 705bed63-668f-4508-9d2d-26faf4010700 | GCPDNSDataConnector |
Mail redirect via ExO transport rule | 500415fb-bba7-4227-a08a-9857fb61b6a7 | Office365 |
Multiple users email forwarded to same destination | 871ba14c-88ef-48aa-ad38-810f26760ca3 | Office365 |
SharePointFileOperation via previously unseen IPs | 4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7 | Office365 |
SharePointFileOperation via devices with previously unseen user agents | 5dd76a87-9f87-4576-bab3-268b0e2b338b | Office365 |
Office365 Sharepoint File transfer above threshold | 8b4f03e7-3460-4401-824d-e65a8dd464f0 | Office365 |
Office365 Sharepoint File transfer Folders above threshold | 8a547285-801c-4290-aa2e-5e7e20ca157d | Office365 |
Multiple users email forwarded to same destination | a1551ae4-f61c-4bca-9c57-4d0d681db2e9 | Office365 |
Linked Malicious Storage Artifacts | b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d | MicrosoftCloudAppSecurity |
Deimos Component Execution | c25a8cd4-5b4a-45a8-9ba0-3b753a652f6b | MicrosoftThreatProtection |
Bitsadmin Activity | 2a1dc4c2-a8d6-4a0e-8539-9b971c851195 | MicrosoftThreatProtection |
Files Copied to USB Drives | 3ab04acf-e0e7-4f7c-8995-748ab4c848c2 | MicrosoftThreatProtection |
VIP Mailbox manipulation | 5170c3c4-b8c9-485c-910d-a21d965ee181 | ESI-ExchangeAdminAuditLogEvents |
Server Oriented Cmdlet And User Oriented Cmdlet used | 7bce901b-9bc8-4948-8dfc-8f68878092d5 | ESI-ExchangeAdminAuditLogEvents |
Insider Risk_Sensitive Data Access Outside Organizational Geo-location | b81ed294-28cf-48c3-bac8-ac60dcef293b | AzureInformationProtection AzureActiveDirectory |
Mimecast Data Leak Prevention - Hold | 3e12b7b1-75e5-497c-ba01-b6cb30b60d7f | MimecastSIEMAPI |
Mimecast Data Leak Prevention - Notifications | 1818aeaa-4cc8-426b-ba54-539de896d299 | MimecastSIEMAPI |
Mimecast Secure Email Gateway - Attachment Protect | 72264f4f-61fb-4f4f-96c4-635571a376c2 | MimecastSIEMAPI |
Mimecast Secure Email Gateway - Internal Email Protect | 5b66d176-e344-4abf-b915-e5f09a6430ef | MimecastSIEMAPI |
Mimecast Targeted Threat Protection - Impersonation Protect | d8e7eca6-4b59-4069-a31e-a022b2a12ea4 | MimecastTTPAPI |
Unauthorized user access across AWS and Azure | 60f31001-018a-42bf-8045-a92e1f361b7b | AzureActiveDirectory AWSS3 |
Anomaly found in Network Session Traffic (ASIM Network Session schema) | cd6def0d-3ef0-4d55-a7e3-faa96c46ba12 | AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki |
OracleDBAudit - Connection to database from external IP | 54aa2c17-acfd-4e3a-a1c4-99c88cf34ebe | OracleDatabaseAudit SyslogAma |
Oracle - Put suspicious file | edc2f2b4-573f-11ec-bf63-0242ac130002 | OracleWebLogicServer CustomLogsAma |
Palo Alto Threat signatures from Unusual IP addresses | 89a86f70-615f-4a79-9621-6f68c50f365f | PaloAltoNetworks PaloAltoNetworksAma CefAma |
ProofpointPOD - Email sender in TI list | 35a0792a-1269-431e-ac93-7ae2980d4dde | ThreatIntelligence ThreatIntelligenceTaxii ProofpointPOD |
ProofpointPOD - Email sender IP in TI list | 78979d32-e63f-4740-b206-cfb300c735e0 | ThreatIntelligence ThreatIntelligenceTaxii ProofpointPOD |
ProofpointPOD - Multiple archived attachments to the same recipient | bda5a2bd-979b-4828-a91f-27c2a5048f7f | ProofpointPOD |
ProofpointPOD - Multiple large emails to the same recipient | d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32 | ProofpointPOD |
ProofpointPOD - Multiple protected emails to unknown recipient | f8127962-7739-4211-a4a9-390a7a00e91f | ProofpointPOD |
Radiflow - Platform Alert | ff0c781a-b30f-4acf-9cf1-75d7383d66d1 | RadiflowIsid |
RecordedFuture Threat Hunting IP All Actors | e31bc14e-2b4c-42a4-af34-5bfd7d768aea | ThreatIntelligenceUploadIndicatorsAPI |
Red Canary Threat Detection | 6d263abb-6445-45cc-93e9-c593d3d77b89 | RedCanaryDataConnector |
Threat Essentials - Mail redirect via ExO transport rule | d7c575b2-84f5-48cb-92c5-70d7e8246284 | Office365 |
Threat Essentials - Time series anomaly for data size transferred to public internet | b49a1093-cbf6-4973-89ac-2eef98f533c6 | CiscoASA CiscoAsaAma PaloAltoNetworks AzureMonitor(VMInsights) |
Third party integrated apps | BFA7EE22-B5A9-42C8-BD50-2E95885640BB | SenservaPro |
SlackAudit - Multiple archived files uploaded in short period of time | 3db0cb83-5fa4-4310-a8a0-d8d66183f0bd | SlackAuditAPI |
SlackAudit - Public link created for file which can contain sensitive information. | 279316e8-8965-47d2-9788-b94dc352c853 | SlackAuditAPI |
SonicWall - Allowed SSH, Telnet, and RDP Connections | 27f1a570-5f20-496b-88f6-a9aa2c5c9534 | CEF SonicWallFirewall CefAma |
New Sonrai Ticket | bcc3362d-b6f9-4de0-b41c-707fafd5a416 | SonraiDataConnector |
Sonrai Ticket Assigned | 37a8d052-a3db-4dc6-9dca-9390cac6f486 | SonraiDataConnector |
Sonrai Ticket Closed | f5d467de-b5a2-4b4f-96db-55e27c733594 | SonraiDataConnector |
Sonrai Ticket Escalation Executed | 0d29c93e-b83f-4dfb-bbbb-76824b77eeca | SonraiDataConnector |
Sonrai Ticket Escalation Executed | 822fff15-ea68-4d0f-94ee-b4482ddb6f3a | SonraiDataConnector |
Sonrai Ticket Reopened | b60129ab-ce22-4b76-858d-3204932a13cc | SonraiDataConnector |
Sonrai Ticket Risk Accepted | 080191e8-271d-4ae6-85ce-c7bcd4b06b40 | SonraiDataConnector |
Sonrai Ticket Snoozed | 10e6c454-5cad-4f86-81ce-800235cb050a | SonraiDataConnector |
Sonrai Ticket Updated | af9b8eb1-a8ef-40aa-92a4-1fc73a1479c7 | SonraiDataConnector |
Excessive Blocked Traffic Events Generated by User | fa0ab69c-7124-4f62-acdd-61017cf6ce89 | SymantecEndpointProtection SyslogAma |
SFTP File transfer above threshold | bb6a74c8-889d-4c6e-8412-7d5efe33f4ed | Syslog SyslogAma |
SFTP File transfer folder count above threshold | 7355434e-09d5-4401-b56d-e03e9379dfb1 | Syslog SyslogAma |
Theom Critical Risks | bb9051ef-0e72-4758-a143-80c25ee452f0 | Theom |
Theom High Risks | 74b80987-0a62-448c-8779-47b02e17d3cf | Theom |
Theom Insights | d200da84-0191-44ce-ad9e-b85e64c84c89 | Theom |
Theom Low Risks | cf7fb616-ac80-40ce-ad18-aa18912811f8 | Theom |
Theom Medium Risks | 4cb34832-f73a-49f2-8d38-c2d135c5440b | Theom |
Trend Micro CAS - DLP violation | 1ddeb8ad-cad9-4db4-b074-f9da003ca3ed | TrendMicroCAS |
Ubiquiti - Connection to known malicious IP or C2 | db60ca0b-b668-439b-b889-b63b57ef20fb | UbiquitiUnifi CustomLogsAma |
Ubiquiti - Unusual FTP connection to external server | fd200125-9d57-4838-85ca-6430c63e4e5d | UbiquitiUnifi CustomLogsAma |
Ubiquiti - Large ICMP to external server | 6df85d74-e32f-4b71-80e5-bfe2af00be1c | UbiquitiUnifi CustomLogsAma |
Ubiquiti - connection to non-corporate DNS server | fe232837-9bdc-4e2b-8c08-cdac2610eed3 | UbiquitiUnifi CustomLogsAma |
Vectra AI Detect - Suspected Compromised Account | 321f9dbd-64b7-4541-81dc-08cf7732ccb0 | AIVectraDetect AIVectraDetectAma CefAma |
Vectra Account’s Behaviors | ce54b5d3-4c31-4eaf-a73e-31412270b6ab | AIVectraDetect AIVectraDetectAma CefAma |
Vectra AI Detect - Detections with High Severity | 39e48890-2c02-487e-aa9e-3ba494061798 | AIVectraDetect AIVectraDetectAma CefAma |
Vectra AI Detect - Suspected Compromised Host | 60eb6cf0-3fa1-44c1-b1fe-220fbee23d63 | AIVectraDetect AIVectraDetectAma CefAma |
Vectra Host’s Behaviors | 33e3b6da-2660-4cd7-9032-11be76db88d2 | AIVectraDetect AIVectraDetectAma CefAma |
Vectra AI Detect - Suspicious Behaviors by Category | 6cb75f65-231f-46c4-a0b3-50ff21ee6ed3 | AIVectraDetect AIVectraDetectAma CefAma |
Detect unauthorized data transfers using timeseries anomaly (ASIM Web Session) | 5965d3e7-8ed0-477c-9b42-e75d9237fab0 | |
Detect presence of private IP addresses in URLs (ASIM Web Session) | e3a7722a-e099-45a9-9afb-6618e8f05405 | |
Progress MOVEIt File transfer above threshold | 9bd18b63-f1ca-4375-95db-39fda00bfe20 | WindowsForwardedEvents |
Progress MOVEIt File transfer folder count above threshold | 26a993ca-0a96-45a0-8405-05a210fb98f8 | WindowsForwardedEvents |
DNS events related to ToR proxies | a83ef0f4-dace-4767-bce3-ebd32599d2a0 | DNS |
DNS events related to ToR proxies (ASIM DNS Schema) | 3fe3c520-04f1-44b8-8398-782ed21435f8 | DNS AzureFirewall Zscaler InfobloxNIOS GCPDNSDataConnector NXLogDnsLogs CiscoUmbrellaDataConnector Corelight |
A host is potentially running a hacking tool (ASIM Web Session schema) | 3f0c20d5-6228-48ef-92f3-9ff7822c1954 | SquidProxy Zscaler |
Cisco Umbrella - Connection to non-corporate private network | c9b6d281-b96b-4763-b728-9a04b9fe1246 | CiscoUmbrellaDataConnector |
CreepyDrive request URL sequence | eda260eb-f4a1-4379-ad98-452604da9b3e | Zscaler Fortinet CheckPoint PaloAltoNetworks |
CreepyDrive URLs | b6d03b88-4d27-49a2-9c1c-29f1ad2842dc | Zscaler Fortinet CheckPoint PaloAltoNetworks |
RunningRAT request parameters | baedfdf4-7cc8-45a1-81a9-065821628b83 | Zscaler Fortinet CheckPoint PaloAltoNetworks |
Time series anomaly detection for total volume of traffic | 06a9b845-6a95-4432-a78b-83919b28c375 | Barracuda CEF CheckPoint CiscoASA F5 Fortinet PaloAltoNetworks |
Users searching for VIP user activity | f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e | |
IP address of Windows host encoded in web request | a4ce20ae-a2e4-4d50-b40d-d49f1353b6cc | Zscaler Fortinet CheckPoint PaloAltoNetworks MicrosoftThreatProtection |
Windows host username encoded in base64 web request | 6e715730-82c0-496c-983b-7a20c4590bd9 | Zscaler Fortinet CheckPoint PaloAltoNetworks MicrosoftThreatProtection |
Time series anomaly for data size transferred to public internet | f2dd4a3a-ebac-4994-9499-1a859938c947 | CiscoASA PaloAltoNetworks AzureMonitor(VMInsights) |
NRT Multiple users email forwarded to same destination | 3b05727d-a8d1-477d-bbdd-d957da96ac7b | Office365 |
Mass Download & copy to USB device by single user | 6267ce44-1e9d-471b-9f1e-ae76a6b7aa84 | MicrosoftCloudAppSecurity MicrosoftThreatProtection |