You have sensitive data in your environment that you need to keep secure. The framework in this content pack provides easy-to-view metrics that offer a quick status check of sensitive data locations. It also identifies possible data exfiltration information and includes a logical workflow for reviewing user interactions with sensitive information, including who is viewing it, what is being viewed, and to whom the information is being sent. It also provides rapid insight into specific users and activity from possible insider threats to help immediately stop the data exfiltration.

Content Pack Components

Alarms

Focused on specific file or data events that interact with resources containing sensitive data.

  • Exfiltration – Possible Exfiltration

Reports

Useful for providing regular summary data to interested parties.

  • Exfiltration – Date Leakage Analysis
  • Exfiltration – Insider Threat Analysis

Variables

  • FTP_SERVERS

Views

Shows activity that stems from system interaction on the network involving sensitive data locations or user-centric events and zone-specific scenarios.

  • Exfiltration – High-Value Host Activity
  • Exfiltration – Potential Insider Threat Activity
  • Exfiltration – DLP Device Activity
  • Exfiltration – Zone Exfiltration Summary

Correlation Rules

Focused on data-related events that interact with the high-value hosts, tracking them and determining which users trigger the rules.

  • Exfiltration – Abnormal Communication and Exfiltration from High-Value Host – Events and Flows
  • Exfiltration - FTP Traffic with High-Value Host
  • Exfiltration – High Number of File Status Events on High-Value Hosts
  • Exfiltration - IM Client File Transfers with High-Value Hosts
  • Exfiltration - P2P Activity with High-Value Hosts

Watchlists

Keep track of resources on the network that contain a degree of sensitive information or specific users that have interacted with these sensitive resources.

  • High Value Hosts
  • Exfiltration – Possible User Threats
  • Exfiltration – User Whitelist

Required Products

  • McAfee Enterprise Security Manager (ESM) 11.x, 10.x
  • McAfee Advanced Correlation Engine (ACE) 11.x, 10.x

Content pack demo

Content packs are available directly inside the McAfee Enterprise Security Manager user interface. Watch the video to discover how to access your content pack and get started.

Watch Video
prevent-ransomware

Download Content Pack

Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.

Read Article

Explore

Find other content packs and partner integrations.

See All

Free Trial

Interested in McAfee Enterprise Security Manager?

Register