Product: Sybase
Use-Case: Data Leak
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 31 | 15 | 3 | 3 | 3 |
| Event Type | Rules | Models |
|---|---|---|
| dlp-email-alert-out | T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol ↳ EM-BSum-first: Large amount of data in email for user with no history ↳ EM-Bytes: Abnormally large outbound email for user ↳ EM-Competition: Email to competition ↳ EM-country-F: First email to country for the organization ↳ EM-country-A: Abnormal email to country for the organization ↳ EM-Gcountry-F: First email to country for the peer group ↳ EM-Gcountry-A: Abnormal email to country ↳ EM-Ucountry-F: First email to country for the user ↳ EM-Ucountry-A: Abnormal email to country for the user ↳ EM-UD-F: First email domain for user ↳ EM-UD-A: Abnormal email domain for user ↳ EM-GD-F: First email domain for group ↳ EM-GD-A: Abnormal email domain for group ↳ EM-OD-F: First email domain for organization ↳ EM-OD-A: Abnormal email domain for organization ↳ EM-G-EXEC-A: Abnormal for this peer group has forwarded/sent an email from an executive user ↳ EM-EXEC-Personal: Email sent by an Executive user is forwarded to personal email ↳ EM-EXEC-Public: Email sent by an Executive user is forwarded to public email ↳ EM-PublicDomain: Email has been sent to public email domain from company email ↳ EM-BSum-5MB: Over 5MB of data emailed to personal email domain. ↳ EM-Personal-PrivacySize: Email with privacy keywords in subject is sent to personal email address from company email address and the email is larger than 10KB ↳ EM-PersonalEmail: Email sent to their personal email from company email ↳ EM-UFEXT-A: Abnormal file attachment type in email for user ↳ EM-GFEXT-A: Abnormal file attachment type in email for peer group ↳ EM-OFEXT-A: Abnormal file attachment type in email for organization ↳ EM-Attachments: Abnormal number of attachments in outbound email for user ↳ EM-File: Source code file found in outgoing email attachment ↳ EM-Confidential-File: Confidential file found in outgoing email attachment ↳ EM-N-SUM-20: Over 20MB sent by a new user over email T1048 - Exfiltration Over Alternative Protocol ↳ EM-DED: Email to a disposable email domain T1020 - Automated Exfiltration ↳ FEM-FU: Emailing a previously failed attachment |
• EM-Attachments: Attachments per Email • EM-OFEXT: Email file attachment types in the organization • EM-GFEXT: Email file attachment types in the peer group • EM-UFEXT: Email file attachment types by the user • EM-UD: Domains per user • EM-EXEC: E-mail subjects sent by an executive user • EM-G-EXEC: Peer groups that send emails from executives • FEM-FU: Users per file names in failed outgoing emails • EM-OD: Domains per organization • EM-GD: Domains per group • EM-Ucountry: Email Countries from/to user • EM-Gcountry: Email Countries from/to peer group • EM-country: Email Countries • EM-Bytes: Bytes per Email to external domains • EM-BSum-personal: Sum of bytes in outgoing emails to personal domains |