Acting on policy alert - Data Exfiltration


Hi we have recently enabled CAS and we have had a "Data Exfiltration to unsanctioned app" alert. One of our users has uploaded a substantial amount of data to Facebook. 

How do we look into this to see what has been uploaded? Or can't we?




4 Replies
unfortunately you cannot. CAS only gets basic details for discovery from traffic data, general indicators like source and remote IPs, bytes sent and received. It does not ingest nor can provide any info related to exactly what was uploaded or downloaded, but only a summary of the apps discovered.

@rajatm Thanks for your reply.

I am assuming there is no way we can correlate the alert with any Defender ATP info and find out what was uploaded, or at least whether it was corporate data? 

I do not think that's possible but my knowledge of MDATP is limited. Apologies.



Any improvement on these monitoring features?

It would be great to have the filename, the source (e.g. sharepoint or local file), account of the exfiltration platform (e.g. Google drive account if data is exfiltrated to Google), etc.