UEBA : Data Exfiltration by Removable Media

The QRadar® User Entity Behavior Analytics (UEBA) app supports use cases based on rules for certain behavioral anomalies.

UEBA : Data Exfiltration by Removable Media

Enabled by default

False

Default senseValue

5

Default senseValueSource

5

Description

Detects users that are transferring files to removable media such as USB and CD.

Support rules

  • BB:UBA : Common Event Filters
  • BB:UBA : File Transfer to CD
  • BB:UBA : File Transfer to USB

Log source types

Symantec Endpoint Protection (EventID: Log writing to USB drives_File_Write, Log writing to USB drives_Write File)

Verdasys Digital Guardian (EventID: CD Burn)