Forcepoint Security Service Edge multiple DLP events detected for a particular file

This rule is part of a beta feature. To learn more, contact Support.
forcepoint-security-service-edge

Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

Set up the forcepoint-security-service-edge integration.

Goal

Identify files containing sensitive data by detecting specific Data Loss Prevention (DLP) patterns to ensure security and compliance.

Strategy

Detects files matched with DLP patterns to immediately review and take necessary actions to protect the system.

Triage and Response

  1. Check the owner - {{@usr.name}} of the file and file’s folder location: {{@folder}}.
  2. Review the detected DLP patterns - {{@patterns}} and take appropriate actions to secure the system. If uncertain, escalate the issue to the administrator.
  3. Review the file directly using the provided drive link - {{@filelink}}.
  4. Inform the file owner about the detected patterns and discuss any immediate concerns. Notify the administrator or security team if further analysis or action is required or update DLP detection rules or configurations if necessary to improve future accuracy.
PREVIEWING: may/restructure-op-docs