Product: Falcon
Use-Case: Data Exfiltration
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 44 | 19 | 15 | 4 | 4 |
| Event Type | Rules | Models |
|---|---|---|
| dlp-alert | T1071 - Application Layer Protocol ↳ DLP-PT-F: First target domain for protocol TA0010 - TA0010 ↳ A-DLP-AN-ALERT-F: First DLP alert name on the asset ↳ A-DLP-AN-ALERT-A: Abnormal DLP alert name on the asset ↳ A-DLP-ON-ALERT-F: First DLP alert (by name) in the organization ↳ A-DLP-ON-ALERT-A: Abnormal DLP alert (by name) in the organization ↳ A-DLP-ZN-ALERT-F: First DLP alert (by name) in the zone ↳ A-DLP-ZN-ALERT-A: Abnormal DLP alert (by name) in the zone ↳ A-DLP-HN-ALERT-A: Abnormal DLP alert (by name) in the asset ↳ A-DLP-OA-ALERT-F: First DLP alert triggered for asset in the organization ↳ A-DLP-OA-ALERT-A: Abnormal asset triggering DLP alert in the organization ↳ DLP-OU-ALERT-F: First DLP alert triggered for this user ↳ DLP-OU-ALERT-A: Abnormal user triggering DLP alert ↳ DLP-OG-ALERT-F: First DLP alert triggered for peer group in the organization ↳ DLP-OG-ALERT-A: Abnormal peer group triggering DLP alert in the organization ↳ DLP-UPolicy-F: First DLP alert name for user ↳ DLP-UPolicy-A: Abnormal DLP alert name for user ↳ DLP-UProtocol-F: First DLP protocol violation for user ↳ DLP-UProtocol-A: Abnormal DLP protocol violation for user ↳ DLP-GP-F: First DLP policy violation for peer group ↳ DLP-GP-A: Abnormal DLP policy violation for peer group ↳ DLP-OP-F: First DLP alert name in the organization ↳ DLP-OP-A: Abnormal DLP alert name in the organization ↳ DLP-UA-F: First DLP policy violation from asset for user ↳ DLP-GA-F: First DLP policy violation from asset for the peer group ↳ DLP-OA-F: First DLP policy violation from asset for the organization ↳ DLP-OBp-F: First blocked process for the organization ↳ DLP-GBp-F: First blocked process for the peer group ↳ DLP-UBp-F: First blocked process for the user T1020 - Automated Exfiltration ↳ A-DLP-HN-ALERT-F: First DLP alert (by name) in the asset |
• DLP-PT: Models the target domains accessed using this protocol • DLP-UBp: Processes that are blocked from execution for the user • DLP-GBp: Processes that are blocked from execution in the peer group • DLP-OBp: Processes that are blocked from execution in the organization • DLP-OA: Assets on which DLP policy violations occurred in the organization • DLP-GA: Assets on which DLP policy violations occurred in the peer group • DLP-UA: Assets on which DLP policy violations occurred for user • DLP-OP: DLP alert names in the organization • DLP-GP: DLP policy violations by peer group • DLP-UProtocol: DLP protocol violations by user • DLP-UPolicy: DLP alert names for user • DLP-OG-ALERT: Peer groups triggering DLP alerts in the organization • DLP-OU-ALERT: Users triggering DLP alerts in the organization • A-DLP-OA-ALERT: Assets triggering DLP alerts in the organization • A-DLP-HN-ALERT: DLP alert names triggered in the asset • A-DLP-ZN-ALERT: DLP alert names triggered in the zone • A-DLP-ON-ALERT: DLP alert names triggered in the organization • A-DLP-AN-ALERT: DLP alert names on asset |
| file-alert | TA0002 - TA0002 ↳ FA-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user during file activity ↳ FA-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user during file activity |
• FA-UP-TEMP: Process executable TEMP directories for this user during file activity |
| file-write | TA0002 - TA0002 ↳ FA-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user during file activity ↳ FA-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user during file activity |
• FA-UP-TEMP: Process executable TEMP directories for this user during file activity |
| process-created | T1071.002 - Application Layer Protocol: File Transfer Protocols ↳ ATP-FTP-Exfil: Exfiltration Over Alternative Protocol T1048 - Exfiltration Over Alternative Protocol ↳ A-Tap-Installer: TAP software was installed on this asset. ↳ A-DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed on this asset. ↳ DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed. ↳ Tap-Installer: TAP software was installed. T1041 - Exfiltration Over C2 Channel ↳ A-Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed on this asset. ↳ Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed. T1071.001 - Application Layer Protocol: Web Protocols ↳ A-Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed on this asset. ↳ Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed. T1572 - Protocol Tunneling ↳ A-Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed on this asset. ↳ Exfil-Tunnel-Tools-Exec: Tools known for data exfiltration and tunneling were executed. T1071.004 - Application Layer Protocol: DNS ↳ A-DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed on this asset. ↳ DNS-Exfiltration-Tools-Exec: Well-known DNS Exfiltration tools were executed. T1040 - Network Sniffing ↳ A-NSniff-Cred: Potential network sniffing was observed on this asset. ↳ NSniff-Cred: Potential network sniffing was observed T1059 - Command and Scripting Interperter ↳ A-JPanda-Activity: Judgement Panda Exfil Activity detected on this asset ↳ JPanda-Activity: Judgement Panda Exfil Activity detected T1560 - Archive Collected Data ↳ A-JPanda-Activity: Judgement Panda Exfil Activity detected on this asset ↳ JPanda-Activity: Judgement Panda Exfil Activity detected T1003 - OS Credential Dumping ↳ A-JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected on this asset ↳ JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected T1552.001 - T1552.001 ↳ A-JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected on this asset ↳ JPanda-RUS-G-Activity: Judgement Panda Exfil Activity- Russian group activity detected |