Link Search Menu Expand Document

PA_DropBox

ID: 100066

Description:

Repository: Group: ThreatAnalysis Type: event

Default Status:

Disabled

Tags:  
dropbox cloud storage
   

Selector:

Query:

@tags:”PA_TRAFFIC”

Filters:

Field MUST hit
@fields.application dropbox-base
Field MUST NOT hit
@fields.source_user entity: [ PA_DropBox_Exceptions ]

Behavior Rule:

Key Type Behavior Category
@fields.source_user asset security alert

Risks:

Risks Base Score Dimension
     

Attributes:

Alias Key
SourceIP @fields.source_ip
SourceUser @fields.source_user
BytesSent @fields.bytes_sent
BytesRecvd @fields.bytes_received

Correlation Rules:

First Occurrence:

Name Window Fields  
PA_DropBoxUsage 10 days @fields.source_user  
  Risks: ALERT_POLICY FILE_DOWNLOAD

Aggregation:

Name Window Field AggType Match
PA_DropBox_FileUpload 1 hour @fields.bytes_sent sum gt 100000
  Risks: ALERT_POLICY FILE_DOWNLOAD  
PA_DropBox_FileDownload 1 hour @fields.bytes_received sum gt 100000
  Risks: FILE_DOWNLOAD ALERT_POLICY  

History:

| User | Date | | :— | :— | | — | — |

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)