Product: Falcon
Use-Case: Data Leak
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 50 | 23 | 8 | 26 | 26 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1048 - Exfiltration Over Alternative Protocol ↳ EM-InRule-Fin: User has created an inbox forwarding rule to forward emails containing financial keywords T1114.003 - Email Collection: Email Forwarding Rule ↳ EM-InRule-EX: User has created an inbox forwarding rule to forward email to an external domain email ↳ EM-InRule-Public: User has created an inbox forwarding rule to forward email to a public email domain |
|
| dlp-alert | T1071 - Application Layer Protocol ↳ DLP-PT-F: First target domain for protocol T1204 - User Execution ↳ DLP-OBp-F: First blocked process for the organization ↳ DLP-GBp-F: First blocked process for the peer group ↳ DLP-UBp-F: First blocked process for the user T1048 - Exfiltration Over Alternative Protocol ↳ DLP-OU-ALERT-F: First DLP alert triggered for this user ↳ DLP-OU-ALERT-A: Abnormal user triggering DLP alert ↳ DLP-OG-ALERT-F: First DLP alert triggered for peer group in the organization ↳ DLP-OG-ALERT-A: Abnormal peer group triggering DLP alert in the organization ↳ DLP-UPolicy-F: First DLP alert name for user ↳ DLP-UPolicy-A: Abnormal DLP alert name for user ↳ DLP-UProtocol-F: First DLP protocol violation for user ↳ DLP-UProtocol-A: Abnormal DLP protocol violation for user ↳ DLP-GP-F: First DLP policy violation for peer group ↳ DLP-GP-A: Abnormal DLP policy violation for peer group ↳ DLP-OP-F: First DLP alert name in the organization ↳ DLP-OP-A: Abnormal DLP alert name in the organization ↳ DLP-UA-F: First DLP policy violation from asset for user ↳ DLP-GA-F: First DLP policy violation from asset for the peer group ↳ DLP-OA-F: First DLP policy violation from asset for the organization T1020 - Automated Exfiltration ↳ A-DLP-AN-ALERT-F: First DLP alert name on the asset ↳ A-DLP-AN-ALERT-A: Abnormal DLP alert name on the asset ↳ A-DLP-ON-ALERT-F: First DLP alert (by name) in the organization ↳ A-DLP-ON-ALERT-A: Abnormal DLP alert (by name) in the organization ↳ A-DLP-ZN-ALERT-F: First DLP alert (by name) in the zone ↳ A-DLP-ZN-ALERT-A: Abnormal DLP alert (by name) in the zone ↳ A-DLP-HN-ALERT-F: First DLP alert (by name) in the asset ↳ A-DLP-HN-ALERT-A: Abnormal DLP alert (by name) in the asset ↳ A-DLP-OA-ALERT-F: First DLP alert triggered for asset in the organization ↳ A-DLP-OA-ALERT-A: Abnormal asset triggering DLP alert in the organization |
• DLP-PT: Models the target domains accessed using this protocol • DLP-UBp: Processes that are blocked from execution for the user • DLP-GBp: Processes that are blocked from execution in the peer group • DLP-OBp: Processes that are blocked from execution in the organization • DLP-OA: Assets on which DLP policy violations occurred in the organization • DLP-GA: Assets on which DLP policy violations occurred in the peer group • DLP-UA: Assets on which DLP policy violations occurred for user • DLP-OP: DLP alert names in the organization • DLP-GP: DLP policy violations by peer group • DLP-UProtocol: DLP protocol violations by user • DLP-OG-ALERT: Peer groups triggering DLP alerts in the organization • DLP-OU-ALERT: Users triggering DLP alerts in the organization • A-DLP-OA-ALERT: Assets triggering DLP alerts in the organization • A-DLP-HN-ALERT: DLP alert names triggered in the asset • A-DLP-ZN-ALERT: DLP alert names triggered in the zone • A-DLP-ON-ALERT: DLP alert names triggered in the organization • A-DLP-AN-ALERT: DLP alert names on asset |
| dlp-email-alert-out-failed | T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol ↳ EM-BSum-5MB-Fail: Failed attempt to email over 5MB of data to a personal email domain. T1020 - Automated Exfiltration ↳ FEM-FU: Emailing a previously failed attachment T1048 - Exfiltration Over Alternative Protocol ↳ FEM-UD-R: Repeated email failure to domain |
• FEM-FU: Users per file names in failed outgoing emails • FEM-UD: Failed Email Domains per User |
| file-write | T1114.001 - T1114.001 ↳ FA-Outlook-pst: A file ends with either pst or ost |
|
| usb-insert | T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB ↳ UW-UHD-000: First USB activity event for user, asset and USB device ↳ UW-UHD-001: First USB activity event for user and asset. The USB device (if present) has been used by/with other users/assets in the past. ↳ UW-UHD-010: First USB activity event for user and USB device. The asset has been used with other USB devices in other USB events ↳ UW-UHD-011: First USB activity event for user. The asset and the USB device (if present) have been seen in other USB events ↳ UW-UHD-100: First USB activity event for USB device and asset. The user has been seen performing USB activity in other USB events ↳ UW-UHD-101: First USB activity event for asset. The user and the USB device (if present) have been seen in other USB events ↳ UW-UHD-110: First USB activity event for USB device. The user and the asset have been seen in other USB events ↳ UW-UH-F: First asset for user in USB event ↳ UW-UD-F: First device for user in USB event ↳ UW-DH-F: First asset for device in USB event ↳ UW-UHD-F: First asset and device for user in USB event ↳ UW-UH-A: Abnormal asset for user in USB event ↳ UW-UD-A: Abnormal USB device for user ↳ UW-DH-A: Abnormal asset for USB device |
• UW-DH: Hosts that were used with USB Device • UW-UD: USB Devices per User • UW-UH: Hosts used with USB Device per User • UW-UHD: Assets and USB Devices for users |