Acting on policy alert - Data Exfiltration

Question

Hi we have recently enabled CAS and we have had a "Data Exfiltration to unsanctioned app" alert. One of our users has uploaded a substantial amount of data to Facebook.

How do we look into this to see what has been uploaded? Or can't we?

Thanks

Neil

molx32 · Answer

Hello,&nbsp;Any improvement on these monitoring features?It would be great to have the filename, the source (e.g. sharepoint or local file), account of the exfiltration platform (e.g. Google drive account if data is exfiltrated to Google), etc.

rajatm · Answer

unfortunately you cannot. CAS only gets basic details for discovery from traffic data, general indicators like source and remote IPs, bytes sent and received. It does not ingest nor can provide any info related to exactly what was uploaded or downloaded, but only a summary of the apps discovered.

neilcarden · Answer

rajatm&nbsp;Thanks for your reply.I am assuming there is no way we can correlate the alert with any Defender ATP info and find out what was uploaded, or at least whether it was corporate data?&nbsp;

rajatm · Answer

I do not think that's possible but my knowledge of MDATP is limited. Apologies.

Forum Discussion

Acting on policy alert - Data Exfiltration

4 Replies

Resources