File activity searches. These can find exploratory, collection and preparation for exfil by a rogue insider.
Event Types | Description |
---|---|
File & Object Access - Event Logs | Anomalous file events by a database client |
File & Object Access - Event Logs | Anomalous file events by an email client |
File & Object Access - Event Logs | Anomalous file renames |
File & Object Access - Event Logs | Anomalous file writes by a browser |
File & Object Access - Event Logs | Anomalous file writes by a database client |
File & Object Access - Event Logs | Anomalous file writes by an email client |
File & Object Access - Event Logs | anomalous local clone access |
File & Object Access - Event Logs | Anomalous Network File Transfer |
File & Object Access - Event Logs | Anomalous PDF file writes |
File & Object Access - Event Logs | Anomalous source code access - extensions c, cpp, h, java |
File & Object Access - Event Logs | Anomalous source code copies - extensions c, cpp, h, java |
File & Object Access - Event Logs | Anomalous UNC connections |
File & Object Access - Event Logs | Anomalous UNC folder path activity |
File & Object Access - Event Logs | Anomalous UNC reads |
File & Object Access - Event Logs | Anomalous zip File & Object Access - Event Logs |
File & Object Access - Event Logs | Browser cache file copies |
File & Object Access - Event Logs | Browser cache file reads |
File & Object Access - Event Logs | Compression of source code files |
File & Object Access - Event Logs | Copying in UNC Paths |
File & Object Access - Event Logs | Copying of listed file extensions |
File & Object Access - Event Logs | Copying of listed file names |
File & Object Access - Event Logs | Device driver File & Object Access - Event Logs |
File & Object Access - Event Logs | Document file read by a browser |
File & Object Access - Event Logs | Document file read by a chat client |
File & Object Access - Event Logs | Document file read by an FTP client |
File & Object Access - Event Logs | Document file read by an SSH client |
File & Object Access - Event Logs | Document file read by anomalous email client |
File & Object Access - Event Logs | Document file read by anomalous process |
File & Object Access - Event Logs | Document file type / process mismatch |
File & Object Access - Event Logs | Executable File & Object Access - Event Logs on removable media |
File & Object Access - Event Logs | Executable file write in C:\ directory |
File & Object Access - Event Logs | Executable file write in C:\Program Files |
File & Object Access - Event Logs | Executable file write in C:\Windows\ |
File & Object Access - Event Logs | Executable file write in Recycle Bin |
File & Object Access - Event Logs | Executable file write in Temp directory |
File & Object Access - Event Logs | Executable file write in UNC path |
File & Object Access - Event Logs | Executable file writes and renames by a browser |
File & Object Access - Event Logs | Executable file writes and renames by a chat client |
File & Object Access - Event Logs | Executable file writes and renames by a PDF reader |
File & Object Access - Event Logs | Executable file writes and renames by a zip utility |
File & Object Access - Event Logs | Executable file writes and renames by an email client |
File & Object Access - Event Logs | Executable file writes and renames by an FTP client |
File & Object Access - Event Logs | File Copy activity on Sensitive File Types |
File & Object Access - Event Logs | File Copy activity on sensitive UNCs |
File & Object Access - Event Logs | File Copying Between Remote and Fixed Disks |
File & Object Access - Event Logs | File Copying Between UNC path and Removable Drives |
File & Object Access - Event Logs | File Deletes in Senstive UNCs |
File & Object Access - Event Logs | File Renaming in Sensitive UNCs |
File & Object Access - Event Logs | File Renaming of Sensitive File Types |
File & Object Access - Event Logs | File writes by a terminal emulator |
File & Object Access - Event Logs | File writes to a system path |
File & Object Access - Event Logs | File writes to c:\Program Files |
File & Object Access - Event Logs | Listed file type emailed to outside user |
File & Object Access - Event Logs | Modification of the Ntoskrnl.exe and NTLDR files |
File & Object Access - Event Logs | Network File Transfer From a File Share |
File & Object Access - Event Logs | Office document file copies by Explorer |
File & Object Access - Event Logs | Office document file reads by non-Office app |
File & Object Access - Event Logs | Reads of sensitive keys or secret files |
File & Object Access - Event Logs | Sensitive data emailed to outside user |
File & Object Access - Event Logs | UNC activity during off hours |
File & Object Access - Event Logs | UNC activity with group / UNC path mismatch |
File & Object Access - Event Logs | UNC activity with workstation / username mismatch |
File & Object Access - Event Logs | UNC file read by a browser |
File & Object Access - Event Logs | UNC file read by a compression utility |
File & Object Access - Event Logs | UNC file read by an email client |
File & Object Access - Event Logs | UNC file read by an FTP client |
File & Object Access - Event Logs | UNC file read by an SCP client |
File & Object Access - Event Logs | zip / rar rile creation in UNC path |
File & Object Access - Event Logs | Anomalous change permissions / take ownership events |
File & Object Access - Event Logs | Anomalous file events by a browser |