UEBA : Data Exfiltration by Removable Media
The QRadar® User Entity Behavior Analytics (UEBA) app supports use cases based on rules for certain behavioral anomalies.
UEBA : Data Exfiltration by Removable Media
Enabled by default
False
Default senseValue
5
Default senseValueSource
5
Description
Detects users that are transferring files to removable media such as USB and CD.
Support rules
- BB:UBA : Common Event Filters
- BB:UBA : File Transfer to CD
- BB:UBA : File Transfer to USB
Log source types
Symantec Endpoint Protection (EventID: Log writing to USB drives_File_Write, Log writing to USB drives_Write File)
Verdasys Digital Guardian (EventID: CD Burn)