Product: RangerAudit
Use-Case: Data Leak
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 33 | 17 | 6 | 7 | 7 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1048 - Exfiltration Over Alternative Protocol ↳ EM-InRule-Fin: User has created an inbox forwarding rule to forward emails containing financial keywords T1114.003 - Email Collection: Email Forwarding Rule ↳ EM-InRule-EX: User has created an inbox forwarding rule to forward email to an external domain email ↳ EM-InRule-Public: User has created an inbox forwarding rule to forward email to a public email domain |
|
| dlp-alert | T1071 - Application Layer Protocol ↳ DLP-PT-F: First target domain for protocol T1204 - User Execution ↳ DLP-OBp-F: First blocked process for the organization ↳ DLP-GBp-F: First blocked process for the peer group ↳ DLP-UBp-F: First blocked process for the user T1048 - Exfiltration Over Alternative Protocol ↳ DLP-OU-ALERT-F: First DLP alert triggered for this user ↳ DLP-OU-ALERT-A: Abnormal user triggering DLP alert ↳ DLP-OG-ALERT-F: First DLP alert triggered for peer group in the organization ↳ DLP-OG-ALERT-A: Abnormal peer group triggering DLP alert in the organization ↳ DLP-UPolicy-F: First DLP alert name for user ↳ DLP-UPolicy-A: Abnormal DLP alert name for user ↳ DLP-UProtocol-F: First DLP protocol violation for user ↳ DLP-UProtocol-A: Abnormal DLP protocol violation for user ↳ DLP-GP-F: First DLP policy violation for peer group ↳ DLP-GP-A: Abnormal DLP policy violation for peer group ↳ DLP-OP-F: First DLP alert name in the organization ↳ DLP-OP-A: Abnormal DLP alert name in the organization ↳ DLP-UA-F: First DLP policy violation from asset for user ↳ DLP-GA-F: First DLP policy violation from asset for the peer group ↳ DLP-OA-F: First DLP policy violation from asset for the organization T1020 - Automated Exfiltration ↳ A-DLP-AN-ALERT-F: First DLP alert name on the asset ↳ A-DLP-AN-ALERT-A: Abnormal DLP alert name on the asset ↳ A-DLP-ON-ALERT-F: First DLP alert (by name) in the organization ↳ A-DLP-ON-ALERT-A: Abnormal DLP alert (by name) in the organization ↳ A-DLP-ZN-ALERT-F: First DLP alert (by name) in the zone ↳ A-DLP-ZN-ALERT-A: Abnormal DLP alert (by name) in the zone ↳ A-DLP-HN-ALERT-F: First DLP alert (by name) in the asset ↳ A-DLP-HN-ALERT-A: Abnormal DLP alert (by name) in the asset ↳ A-DLP-OA-ALERT-F: First DLP alert triggered for asset in the organization ↳ A-DLP-OA-ALERT-A: Abnormal asset triggering DLP alert in the organization |
• DLP-PT: Models the target domains accessed using this protocol • DLP-UBp: Processes that are blocked from execution for the user • DLP-GBp: Processes that are blocked from execution in the peer group • DLP-OBp: Processes that are blocked from execution in the organization • DLP-OA: Assets on which DLP policy violations occurred in the organization • DLP-GA: Assets on which DLP policy violations occurred in the peer group • DLP-UA: Assets on which DLP policy violations occurred for user • DLP-OP: DLP alert names in the organization • DLP-GP: DLP policy violations by peer group • DLP-UProtocol: DLP protocol violations by user • DLP-OG-ALERT: Peer groups triggering DLP alerts in the organization • DLP-OU-ALERT: Users triggering DLP alerts in the organization • A-DLP-OA-ALERT: Assets triggering DLP alerts in the organization • A-DLP-HN-ALERT: DLP alert names triggered in the asset • A-DLP-ZN-ALERT: DLP alert names triggered in the zone • A-DLP-ON-ALERT: DLP alert names triggered in the organization • A-DLP-AN-ALERT: DLP alert names on asset |
| file-write | T1114.001 - T1114.001 ↳ FA-Outlook-pst: A file ends with either pst or ost |