Exfiltration Content Pack

Overview

You have sensitive data in your environment and you need to keep it secure. The framework provided in this content pack provides easy-to-view metrics that offer a quick status check of sensitive data locations and identify possible data exfiltration information; a logical workflow for reviewing user interactions with sensitive information, including who is viewing it, what is being viewed, and to whom the information is being sent; and rapid insight into specific users and activity from possible insider threats to help immediately stop the data exfiltration.

Content Pack Components

Alarms

Focused on specific file or data events that interact with resources containing sensitive data.

  • Exfiltration – Possible Exfiltration
Reports

Useful for providing regular summary data to interested parties.

  • Exfiltration – Date Leakage Analysis
  • Exfiltration – Insider Threat Analysis
Variables
  • FTP_SERVERS
Views

Shows activity that stems from system interaction on the network involving sensitive data locations or user-centric events and zone-specific scenarios.

  • Exfiltration – High-Value Host Activity
  • Exfiltration – Potential Insider Threat Activity
  • Exfiltration – DLP Device Activity
  • Exfiltration – Zone Exfiltration Summary
Correlation Rules

Focused on data-related events that interact with the high-value hosts, tracking them and determining which users trigger the rules.

  • Exfiltration – Abnormal Communication and Exfiltration from High-Value Host – Events and Flows
  • Exfiltration - FTP Traffic with High-Value Host
  • Exfiltration – High Number of File Status Events on High-Value Hosts
  • Exfiltration - IM Client File Transfers with High-Value Hosts
  • Exfiltration - P2P Activity with High-Value Hosts
Watchlists

Keep track of resources on the network that contain a degree of sensitive information or specific users that have interacted with these sensitive resources.

  • High Value Hosts
  • Exfiltration – Possible User Threats
  • Exfiltration – User Whitelist

Required Products

  • McAfee Enterprise Security Manager (ESM) 10.0.x, 9.6.x, 9.5.x
  • McAfee Advanced Correlation Engine (ACE) 10.0.x, 9.6.x, 9.5.x
prevent-ransomware

Content Pack Demo

Content packs are available directly inside the McAfee Enterprise Security Manager user interface. Watch the video to discover how to access the content pack and get started.

Watch Video

Download Content Pack

Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.

Read Article

Explore

Find other content packs and partner integrations.

See All

Free Trial

Interested in McAfee Enterprise Security Manager?

Register for Free Trial