Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Data Exfiltration

 

Use theJSA Data Exfiltration Content Extension to closely monitor your Data Exfiltration deployment.

About the Data Exfiltration Extension

The Content Extension pack for Data Exfiltration adds several rules and saved searches that focus on detecting data exfiltration activities.

Examples of data exfiltration activities are:

  • Large outbound data transfer to a known malicious IP or to an online file storage service.

  • Slow and stealthy outbound data transfer over several days or months.

  • Data leakage or data loss in the cloud. For example, if a confidential file is uploaded to a publicly accessible folder or bucket, or if a confidential file's permissions are changed to be world readable or accessible.

  • Sharing confidential files. For example, if confidential files are shared with a malicious host, guest user, or with a user from outside the organization.

JSA Data Exfiltration Content Extensions

JSA Data Exfiltration Content Extension V1.0.3

Fixed errors in the Pulse dashboard which caused AQL queries to parse incorrectly.

The following table shows the building blocks are renamed in JSA Data Exfiltration Content Extension V1.0.3.

Table 1: Building Blocks Renamed NJSA Data Exfiltration Content Extension V1.0.3

Old Name

New Name

BB:BehaviorDefinition: External Email Addresses

BB:BehaviorDefinition: External Recipient Host

BB:BehaviorDefinition: Potentially Hostile Email Host

BB:BehaviorDefinition: Potentially Hostile Recipient Host

JSA Data Exfiltration Content Extension V1.0.2

Updated the conditions for the following rules:

  • Large Outbound Data Transfer

  • Large Outbound Data Transfer for Flows

  • Large Outbound Data Transfer to a File Storage Host

  • Large Outbound Data Transfer to a Malicious Host or IP

  • Large Outbound Data Transfer to a Malicious IP for Flows

JSA Data Exfiltration Content Extension V1.0.1

Updated the QNI : Confidential Content Being Transferred rule to include the records that triggered the rule in the offense.

JSA Data Exfiltration Content Extension V1.0.0

The following table shows the custom event properties inJSA Data Exfiltration Content Extension V1.0.0.

Note

The custom properties that are included in the following table are placeholders. You can download other content extensions that include custom properties with these names, or you can create your own.

Table 2: Custom Event Properties inJSA Data Exfiltration Content Extension V1.0.0

Custom Property

Optimized

Found in

BytesReceived

Yes

BytesSent

Yes

File Directory

Yes

File Extension

Yes

Filename

Yes

MessageID

Yes

Policy Name

Yes

Public Permission

Yes

Amazon AWS

Recipient Host

Yes

Storage Name

Yes

Amazon AWS

Target User Area

Yes

Microsoft Office 365

URL

Yes

UrlHost

Yes

Web Category

Yes

The following table shows the building blocks and rules inJSA Data Exfiltration Content Extension V1.0.0.

Table 3: Building Blocks and Rules inJSA Data Exfiltration Content Extension V1.0.0

Type

Name

Description

Building Block

BB:BehaviorDefinition: External Email Addresses

This Building Block identifies recipient hosts that are not in the Corporate Email Domains reference set.

Note: The Corporate Email Domains reference set must be populated.

Building Block

BB:BehaviorDefinition: Potentially Hostile Email Host

This Building Block identifies an email that is being sent to a malicious host. The host is malicious if the X-Force categorization for it returns one of the following: Phishing URLs, Spam URLs, Malware, Botnet Command and Control Server, or Cryptocurrency Mining.

Building Block

BB:CategoryDefinition: Communication with Potential Hostile Destination IPs

This Building Block identifies communications to malicious IPs. The host is malicious if the X-Force categorization for it returns one of the following: Malware, Botnet Command and Control Server, Spam, Cryptocurrency Mining, Scanning IPs, Bots, or Phishing.

Building Block

BB:CategoryDefinition: Communication with Potential Hostile Recipient Hosts

This Building Block identifies communications to malicious hosts. The host is malicious if the X-Force categorization for it returns one of the following: Botnet Command and Control Server, Malware, Phishing URLs, Cryptocurrency Mining, or Spam URLs.

Building Block

BB:CategoryDefinition: Countries/Regions with Restricted Access

Edit this BB to include any geographic location that typically would not be allowed to access the enterprise.

Building Block

BB:CategoryDefinition: File Deleted Events

Edit this Building Block to include any file deletion event categories.

Building Block

BB:CategoryDefinition: Link Shared Events

Edit this Building Block to include link shared related event categories.

Building Block

BB:CategoryDefinition: Object Access Events

Edit this Building Block to include all object (file, folder, and so on) access-related event categories.

Building Block

BB:CategoryDefinition: Object Download Events

Edit this Building Block to include all object (file, folder, and so on) download-related event categories.

Building Block

BB:CategoryDefinition: Object Upload Events

Edit this Building Block to include all object (file, folder, and so on) upload related event categories.

Building Block

BB:DeviceDefinition: DLP Devices

This Building Block defines all data loss prevention (DLP) devices on the system.

Building Block

BB:DeviceDefinition: Mail

This Building Block defines all Mail devices on the system.

Building Block

BB:Exfiltration: Files in Sensitive Directories

Detects files that are in sensitive paths. Sensitive paths are defined in the Sensitive File Paths reference set.

Note: The Sensitive File Paths reference set must be populated.

Rule

Database Backup or Compressed File Uploaded to a Publicly Accessible Folder

This rule triggers when a database backup or a compressed file is uploaded to a publicly accessible folder or bucket. The Publicly Accessible Folders reference set must be populated with the relevant folder names.

Note: The Critical File Extensions reference set is pre-populated with critical file extensions, and can be tuned.

Rule

Email containing Sensitive File Sent to External Host

This rule triggers when an email that contains sensitive data is sent to an email address that is outside of the organization.

Note: The Sensitive File Directories reference set, must be populated with the relevant folders name. The Corporate Email Domains reference set must be populated with the organization's email domain.

Rule

Email containing Sensitive File Sent to Potentially Hostile Host

This rule triggers when an email that contains a sensitive file is being sent to a host that is known for hostile activities such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining. The Files in Sensitive Directories reference set is populated by the Files in Sensitive File Directories rule.

Note: The Sensitive Directories reference set must be populated.

Rule

Excessive File Access Events From the Same Source IP

This rule triggers when at least 15 different files are accessed by the same source IP within 5 minutes.

Note: Edit the AQL function to exclude known legitimate download activities such as OS Updates or Software Updates.

Rule

Excessive File Access Events From the Same Username

This rule triggers when at least 15 different files are accessed by the same user name within 5 minutes.

Note: Edit the AQL function to exclude known legitimate download activities such as OS Updates or Software Updates.

Rule

Excessive File Downloads Events From the Same Source IP

This rule triggers when at least 10 different files are downloaded from the same source IP within 5 minutes.

Note: Edit the AQL function to exclude known legitimate download activities such as OS Updates or Software Updates.

Rule

Excessive File Downloads Events From the Same Username

This rule triggers when at least 15 different files are downloaded by the same user name within 5 minutes.

Note: Edit the AQL function to exclude known legitimate download activities such as OS Updates or Software Updates.

Rule

File Accessed or Downloaded From a Malicious IP

This rule triggers when a file is accessed or downloaded from a malicious IP such as known Command and Control Servers or Malware Servers.

Rule

File or Folder Shared With an Email Hosted on a Potentially Hostile Domain

This rule triggers when a file or folder is shared with an email that is associated with hostile domains such as Spam URLs, Phishing URLs, Malware, or Cryptocurrency Mining.

Rule

File or Folder Shared With an External Email Address

This rule triggers when a file or a folder is shared with non-corporate email address domains.

Note: The Corporate Email Domains reference set must be populated with the organization’s email domain.

Rule

Files Deleted from Sensitive File Directories

This rule detects when there is a file deletion event from a sensitive file directory and then removes the file name from the Files in Sensitive Directories reference set as a Rule Response.

Note: InJSA 7.3.2 and earlier versions, the reference set does not link properly to Files in Sensitive Directories - AlphaNumeric. This was corrected in 7.3.2 patch 1. If you do not have 7.3.2 patch 1 installed, you can do the following: Select the rule, and click Next. Under Rule Response, click the list for the reference set, and select Files in Sensitive Directories - AlphaNumeric.

Rule

Files in Sensitive File Directories

This rule detects when a new file is found in a sensitive file directory and then adds the file name to the Files in Sensitive Directories reference set as a Rule response.

Rule

Large Outbound Data Transfer

This anomaly rule triggers when more than 5 GB of data is transferred to an IP address within 4 days.

Rule

Large Outbound Data Transfer for Flows

This flow anomaly rule triggers when more than 1 GB of data is transferred within 24 hours to a single IP address.

For more information, see the Large Outbound Data Transfer Network Activity saved search.

Rule

Large Outbound Data Transfer to a File Storage Host

This event anomaly rule triggers when more than 1 GB of data is transferred to a URL classified under the X-Force category Web Storage, within 24 hours. The rule is also configured to match on the proxy category populated in the Reference Set, File Storage Web Categories.

For more information, see the Large Outbound Data Transfer to a File Storage Host Log Activity saved search.

Rule

Large Outbound Data Transfer to a Malicious Host or IP

This event anomaly rule triggers when more than 1 GB of data is transferred within 24 hours to an IP address or URL that is classified under one of the following X-Force categories: Malware, Botnet Command and Control Server, Spam, Cryptocurrency Mining, Scanning IPs (only on IP addresses), Phishing, or Bots (only on IP addresses). The rule is also configured to match on the proxy category populated in the Reference Set, Malicious Web Categories.

For more information, see the Large Outbound Data Transfer to Malicious Host or IP Log Activity saved search.

Rule

Large Outbound Data Transfer to a Malicious IP for Flows

This flow anomaly rule triggers when more than 1 GB of data is transferred within 24 hours to an IP address that is classified under one of the following X-Force categories: Malware, Botnet Command and Control Server, Spam, Cryptocurrency Mining, Scanning IPs, Phishing, or Bots.

For more information, see the Large Outbound Data Transfer to Malicious IP Network Activity saved search.

Rule

QNI : Confidential Content Being Transferred

This rule detects confidential content that is being transferred to a remote destination. Suspect content can be tuned with YARA rules. For more information, see the QNI documentation.

Rule

Sensitive File Accessed or Downloaded From Regions or Countries with Restricted Access

This rule triggers when a confidential file is accessed or downloaded from a region or country with restricted access. These regions are defined in the BB:CategoryDefinition: Countries/Regions with Restricted Access building block.

Rule

Sensitive File Permissions Allow Public Access

This rule triggers when the permissions for a sensitive file are publicly accessible. The Files in Sensitive Directories reference set is populated by the Files in Sensitive File Directories rule.

Note: The Sensitive Directories reference set must be populated.

Rule

Sensitive File Shared with a Guest User or Group

This rule triggers when a sensitive file is shared with a guest user or group. The Files in Sensitive Directories reference set is populated by the Files in Sensitive File Directories rule, which uses the Sensitive Directories reference set.

Note: The Sensitive Directories and Guest Login Users reference sets must be populated.

Rule

Sensitive File Uploaded to a Publicly Accessible Folder

This rule triggers when a sensitive file is uploaded to a publicly accessible folder or bucket.

Rule

Suspicious Activity on Confidential Data Detected by DLP Devices

This rule triggers when suspicious activity on confidential data is detected from a DLP Device. The DLP devices are defined in the BB:DeviceDefinition: DLP Devices building block.

Note: The DLP Policies reference set must be populated.

The following table shows the reference data inJSA Data Exfiltration Content Extension V1.0.0.

Table 4: Reference Data inJSA Data Exfiltration Content Extension V1.0.0

Type

Name

Description

Reference Set

Corporate Email Domains

Contains a list of corporate email domains.

Reference Set

Critical File Extensions

Contains a list of critical file extensions.

Reference Set

DLP Policies

Contains a list of DLP policies.

Reference Set

File Storage Web Categories

Contains a list of file storage web categories.

Reference Set

Files in Sensitive Directories

Contains a list of file names in sensitive directories.

Reference Set

Guest Login Users

Contains a list of guest login user names.

Reference Set

Legitimate Data Transfer Destination IPs

Contains a list of legitimate data transfer destination IPs.

Reference Set

Malicious Web Categories

Contains a list of malicious web categories.

Reference Set

Publicly Accessible Folders

Contains a list of names of publicly accessible folders.

Reference Set

Sensitive File Directories

Contains a list of sensitive file directories.

The following table shows the saved searches inJSA Data Exfiltration Content Extension V1.0.0.

Table 5: Saved Searches inJSA Data Exfiltration Content Extension V1.0.0

Name

Description

Large Outbound Data Transfer

Shows all events with large outbound data transfer (greater than 1 GB) to remote hosts.

Large Outbound Data Transfer to a File Storage Host

Shows all events with large outbound data transfer (greater than 1 GB) to file storage hosts.

Large Outbound Data Transfer to Malicious Host or IP

Shows all events with large outbound data transfer (greater than 1GB) to malicious host or IP.

Slow Outbound Data Transfer Over Multiple Days

Shows all events with large outbound data transfer (greater than 1 GB) to remote hosts over multiple days.

Slow Outbound Data Transfer Over Multiple Days Grouped By Source IP and Username

Shows all events with large outbound data transfer (greater than 1 GB) to remote hosts over multiple days grouped by source IP and user name.

Slow Outbound Data Transfer Over Multiple Months

Shows all events with large outbound data transfer (greater than 1 GB) to remote hosts over multiple months.

Large Outbound Data Transfer

Shows all flows with large outbound data transfer (greater than 1 GB) to remote IPs.

Large Outbound Data Transfer to a Malicious IP

Shows all flows with large outbound data transfer (greater than 1 GB) to malicious IP.

Slow Outbound Data Transfer Over Multiple Days

Shows all flows with large outbound data transfer (greater than 1 GB) to remote IPs over multiple days.

Slow Outbound Data Transfer Over Multiple Days Grouped By Source IP

Shows all flows with large outbound data transfer (greater than 1 GB) to remote IPs over multiple months grouped by source IP.

Slow Outbound Data Transfer Over Multiple Months

Shows all flows with large outbound data transfer (greater than 1 GB) to remote IPs over multiple months.