DLP sensitive data exposed to external users

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Office 365 Audit

Detection Modules

Identity Threat Module

Detector Tags

O365 DLP Analytics

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Severity

Informational

Description

A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information.

Attacker's Goals

An attacker is attempting to access sensitive information.

Investigative actions

  • Review the details of the triggered DLP rule match.
    Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
  • Follow further actions done by the account.
  • Communicate with the user to verify the legitimacy of the triggered event.

Variations

High-severity DLP sensitive data exposed to external users

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Severity

Low

Description

A user triggered an O365 DLP rule match on data that is viewable by external users. This may indicate an attacker's attempt to access sensitive information.

Attacker's Goals

An attacker is attempting to access sensitive information.

Investigative actions

  • Review the details of the triggered DLP rule match.
    Look for signs that the user account and mailbox are compromised (e.g. abnormal logins, unusual activity).
  • Follow further actions done by the account.
  • Communicate with the user to verify the legitimacy of the triggered event.