
Summary
This detection rule implemented using Zeek identifies suspicious access to known sensitive file extensions that could indicate potential data exfiltration or unauthorized access to sensitive information. The rule specifically filters for file names that end with certain extensions commonly associated with sensitive data types such as emails (.pst, .msg), backups (.bak, .dmp), and other confidential files (.nst, .oab, .edb, .nsf, and .rdp). The detection operates by monitoring SMB file access events and triggers an alert when a file matching the specified extensions is accessed. This is particularly important for environments handling sensitive information to prevent data leaks and ensure compliance with data protection regulations. Additionally, the rule has been set with a medium severity level, implying a need for prompt attention while acknowledging potential false positives arising from legitimate use cases such as backups or user exchanges of necessary files.
Categories
- Network
- Endpoint
- Cloud
Data Sources
- Logon Session
- Network Traffic
- File
Created: 2020-04-02