Product: Sonicwall
Use-Case: Data Leak
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 17 | 13 | 11 | 3 | 4 |
| Event Type | Rules | Models |
|---|---|---|
| vpn-logout | T1133 - External Remote Services ↳ VPN-BSum: Abnormal amount of data uploaded during VPN Session T1052 - Exfiltration Over Physical Medium ↳ UW-FNum: Abnormal number of files written to USB ↳ UW-BSum: Abnormal amount of data written to USB ↳ PR-NPSum: Abnormal number of pages printed T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB ↳ UW-FNum: Abnormal number of files written to USB ↳ UW-BSum: Abnormal amount of data written to USB T1048 - Exfiltration Over Alternative Protocol ↳ EM-FNum: Abnormal number of outgoing emails ↳ EM-DNum: Abnormal number of outgoing email domains ↳ EM-BSum-personal: Abnormal size of outgoing emails to personal account ↳ EM-BSum: Abnormal size of outgoing emails T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol ↳ EM-FNum: Abnormal number of outgoing emails ↳ EM-DNum: Abnormal number of outgoing email domains ↳ EM-BSum-personal: Abnormal size of outgoing emails to personal account ↳ EM-BSum: Abnormal size of outgoing emails TA0010 - TA0010 ↳ DLP-UPCOUNT: Abnormal number of DLP policy violations for user ↳ DLP-GPCOUNT: Abnormal number of DLP policy violations for peer group ↳ DLP-BSum: Abnormal amount of data written during DLP policy violation |
• VPN-BSum: Sum of bytes uploaded during VPN • PR-NPSum: Number of pages printed by user • UW-BSum: Sum of bytes written to USB • UW-FNum: Count of assets Files Written to USB • EM-BSum: Sum of bytes in outgoing emails • EM-BSum-personal: Sum of bytes in outgoing emails to personal domains • EM-DNum: Number of distinct domains • EM-FNum: Count of outgoing emails • DLP-BSum: Sum of bytes written during DLP policy violation • DLP-GPCOUNT: Count of DLP policy violations for peer group • DLP-UPCOUNT: Count of DLP policy violations for user |
| web-activity-allowed | T1041 - Exfiltration Over C2 Channel ↳ A-WEB-EXFIL-ASSET: Large amount of data exfiltrated from host T1567 - Exfiltration Over Web Service ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group ↳ A-WEB-EXFIL-ASSET: Large amount of data exfiltrated from host T1071 - Application Layer Protocol ↳ WEB-New-File-20: User with no web activity history has uploaded 20MB or more T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-New-File-20: User with no web activity history has uploaded 20MB or more T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group |
• WEB-OG-FS: File sharing activities of users in the peer group • WEB-OU-FS: File sharing activities of users in the organization |
| web-activity-denied | T1071 - Application Layer Protocol ↳ WEB-New-File-20-Block: User with no web activity history was blocked from uploading 20MB or more T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-New-File-20-Block: User with no web activity history was blocked from uploading 20MB or more T1567 - Exfiltration Over Web Service ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group |
• WEB-OG-FS: File sharing activities of users in the peer group • WEB-OU-FS: File sharing activities of users in the organization |