Product: ClientView
Use-Case: Data Leak
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 41 | 18 | 8 | 12 | 12 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1048 - Exfiltration Over Alternative Protocol ↳ EM-InRule-Fin: User has created an inbox forwarding rule to forward emails containing financial keywords T1114.003 - Email Collection: Email Forwarding Rule ↳ EM-InRule-EX: User has created an inbox forwarding rule to forward email to an external domain email ↳ EM-InRule-Public: User has created an inbox forwarding rule to forward email to a public email domain |
|
| dlp-email-alert-out | T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol ↳ EM-BSum-first: Large amount of data in email for user with no history ↳ EM-Bytes: Abnormally large outbound email for user ↳ EM-Competition: Email to competition ↳ EM-country-F: First email to country for the organization ↳ EM-country-A: Abnormal email to country for the organization ↳ EM-Gcountry-F: First email to country for the peer group ↳ EM-Gcountry-A: Abnormal email to country ↳ EM-Ucountry-F: First email to country for the user ↳ EM-Ucountry-A: Abnormal email to country for the user ↳ EM-UD-F: First email domain for user ↳ EM-UD-A: Abnormal email domain for user ↳ EM-GD-F: First email domain for group ↳ EM-GD-A: Abnormal email domain for group ↳ EM-OD-F: First email domain for organization ↳ EM-OD-A: Abnormal email domain for organization ↳ EM-G-EXEC-A: Abnormal for this peer group has forwarded/sent an email from an executive user ↳ EM-EXEC-Personal: Email sent by an Executive user is forwarded to personal email ↳ EM-EXEC-Public: Email sent by an Executive user is forwarded to public email ↳ EM-PublicDomain: Email has been sent to public email domain from company email ↳ EM-BSum-5MB: Over 5MB of data emailed to personal email domain. ↳ EM-Personal-PrivacySize: Email with privacy keywords in subject is sent to personal email address from company email address and the email is larger than 10KB ↳ EM-PersonalEmail: Email sent to their personal email from company email ↳ EM-UFEXT-A: Abnormal file attachment type in email for user ↳ EM-GFEXT-A: Abnormal file attachment type in email for peer group ↳ EM-OFEXT-A: Abnormal file attachment type in email for organization ↳ EM-Attachments: Abnormal number of attachments in outbound email for user ↳ EM-File: Source code file found in outgoing email attachment ↳ EM-Confidential-File: Confidential file found in outgoing email attachment ↳ EM-N-SUM-20: Over 20MB sent by a new user over email T1048 - Exfiltration Over Alternative Protocol ↳ EM-DED: Email to a disposable email domain T1020 - Automated Exfiltration ↳ FEM-FU: Emailing a previously failed attachment |
• EM-Attachments: Attachments per Email • EM-OFEXT: Email file attachment types in the organization • EM-GFEXT: Email file attachment types in the peer group • EM-UFEXT: Email file attachment types by the user • EM-UD: Domains per user • EM-EXEC: E-mail subjects sent by an executive user • EM-G-EXEC: Peer groups that send emails from executives • FEM-FU: Users per file names in failed outgoing emails • EM-OD: Domains per organization • EM-GD: Domains per group • EM-Ucountry: Email Countries from/to user • EM-Gcountry: Email Countries from/to peer group • EM-country: Email Countries • EM-Bytes: Bytes per Email to external domains • EM-BSum-personal: Sum of bytes in outgoing emails to personal domains |
| file-write | T1114.001 - T1114.001 ↳ FA-Outlook-pst: A file ends with either pst or ost |
|
| web-activity-allowed | T1030 - Data Transfer Size Limits ↳ A-WEB-EXFIL-ASSET: Large amount of data exfiltrated from host ↳ WEB-New-File-20: User with no web activity history has uploaded 20MB or more T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-OUa-Browser-F: First activity using this web browser for the organization ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group |
• WEB-OG-FS: File sharing activities of users in the peer group • WEB-OU-FS: File sharing activities of users in the organization • WEB-OUa-Browser-New: Top web browsers being used in this organization |