Product: Reveal
Use-Case: Data Exfiltration
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 38 | 20 | 10 | 3 | 10 |
| Event Type | Rules | Models |
|---|---|---|
| dlp-alert | TA0010 - TA0010 ↳ DLP-OU-ALERT-F: First DLP alert triggered for this user ↳ DLP-OU-ALERT-A: Abnormal user triggering DLP alert ↳ DLP-OG-ALERT-F: First DLP alert triggered for peer group in the organization ↳ DLP-OG-ALERT-A: Abnormal peer group triggering DLP alert in the organization ↳ DLP-UPolicy-F: First DLP alert name for user ↳ DLP-UPolicy-A: Abnormal DLP alert name for user ↳ DLP-UProtocol-F: First DLP protocol violation for user ↳ DLP-UProtocol-A: Abnormal DLP protocol violation for user ↳ DLP-GP-F: First DLP policy violation for peer group ↳ DLP-GP-A: Abnormal DLP policy violation for peer group ↳ DLP-OP-F: First DLP alert name in the organization ↳ DLP-OP-A: Abnormal DLP alert name in the organization ↳ DLP-UA-F: First DLP policy violation from asset for user ↳ DLP-GA-F: First DLP policy violation from asset for the peer group ↳ DLP-OA-F: First DLP policy violation from asset for the organization ↳ DLP-OBp-F: First blocked process for the organization ↳ DLP-GBp-F: First blocked process for the peer group ↳ DLP-UBp-F: First blocked process for the user ↳ A-DLP-AN-ALERT-F: First DLP alert name on the asset ↳ A-DLP-AN-ALERT-A: Abnormal DLP alert name on the asset ↳ A-DLP-ON-ALERT-F: First DLP alert (by name) in the organization ↳ A-DLP-ON-ALERT-A: Abnormal DLP alert (by name) in the organization ↳ A-DLP-ZN-ALERT-F: First DLP alert (by name) in the zone ↳ A-DLP-ZN-ALERT-A: Abnormal DLP alert (by name) in the zone ↳ A-DLP-HN-ALERT-A: Abnormal DLP alert (by name) in the asset ↳ A-DLP-OA-ALERT-F: First DLP alert triggered for asset in the organization ↳ A-DLP-OA-ALERT-A: Abnormal asset triggering DLP alert in the organization T1020 - Automated Exfiltration ↳ A-DLP-HN-ALERT-F: First DLP alert (by name) in the asset T1071 - Application Layer Protocol ↳ DLP-PT-F: First target domain for protocol |
• A-DLP-OA-ALERT: Assets triggering DLP alerts in the organization • A-DLP-HN-ALERT: DLP alert names triggered in the asset • A-DLP-ZN-ALERT: DLP alert names triggered in the zone • A-DLP-ON-ALERT: DLP alert names triggered in the organization • A-DLP-AN-ALERT: DLP alert names on asset • DLP-PT: Models the target domains accessed using this protocol • DLP-UBp: Processes that are blocked from execution for the user • DLP-GBp: Processes that are blocked from execution in the peer group • DLP-OBp: Processes that are blocked from execution in the organization • DLP-GA: Assets on which DLP policy violations occurred in the peer group • DLP-UA: Assets on which DLP policy violations occurred for user • DLP-OP: DLP alert names in the organization • DLP-GP: DLP policy violations by peer group • DLP-UProtocol: DLP protocol violations by user • DLP-UPolicy: DLP alert names for user • DLP-OG-ALERT: Peer groups triggering DLP alerts in the organization • DLP-OU-ALERT: Users triggering DLP alerts in the organization |
| file-write | TA0002 - TA0002 ↳ FA-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user during file activity ↳ FA-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user during file activity |
• FA-UP-TEMP: Process executable TEMP directories for this user during file activity |
| web-activity-allowed | T1041 - Exfiltration Over C2 Channel ↳ A-WEB-EXFIL-ASSET: Large amount of data exfiltrated from host T1567 - Exfiltration Over Web Service ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group ↳ A-WEB-EXFIL-ASSET: Large amount of data exfiltrated from host T1071 - Application Layer Protocol ↳ WEB-New-File-20: User has uploaded 20MB or more to an infrequently accessed top domain ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-New-File-20: User has uploaded 20MB or more to an infrequently accessed top domain ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service T1568 - Dynamic Resolution ↳ WEB-UD-DynamicDNS: User attempted access to a domain generated using Dynamic DNS service ↳ A-WEB-DynamicDNS: Asset attempted access to a domain generated using Dynamic DNS service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage ↳ WEB-FS: User has accessed a file sharing domain ↳ WEB-OU-FS: One of the top file sharing users in the organization ↳ WEB-OG-FS: One of the top file sharing users in the peer group T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DynamicDNS: User attempted access to a domain generated using Dynamic DNS service |
• WEB-OG-FS: File sharing activities of users in the peer group • WEB-OU-FS: File sharing activities of users in the organization |