Detection of Sensitive Data Exfiltration

[yashg-op]

I am looking to determine if our system might be used to exfiltrate sensitive data. Specifically, I want to identify any suspicious upload events related to a particular sensitive file. Can Falcon assist in this process?

Detection of Malicious Uploads: Can Falcon help us identify if these upload events are potentially malicious? What indicators or analysis can Falcon provide to determine the maliciousness of these uploads?

Fetching Upload Events: Alternatively, can Falcon allow us to retrieve all upload events associated with the sensitive file or data? How can we use Falcon to query and analyze these events effectively?

Any insights or recommendations on using Falcon for this purpose would be greatly appreciated.

[crowdstrikedcs]

HI @yashg-op thanks for the question!

We do have Falcon Data Protection as part of the platform. Which would currently support the use case on Windows Hosts.

From the description:

Protect intellectual property, sensitive information, and regulated data with Falcon Data Protection (FDP). FDP uses the Falcon sensor to provide visibility into the movement of sensitive data on the endpoint to web applications and USB devices. It enables you to proactively set rules based on user identity, data classification, and egress destination. Investigate egress events that contain rich metadata about the user, host, data, destination and more. Test rules in simulation mode without impacting end user productivity. This module is available for Windows.

Events generated from this module post configuration are avalaible with the GetQueriesAlertsV2 Operation using a filter of product:['data-protection']