Analytics Story: Data Protection

Updated Date: 2026-05-13 ID: 91c676cf-0b23-438d-abee-f6335e1fce33 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.

Why it matters

Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Detect hosts connecting to dynamic domain providers	Drive-by Compromise	TTP
Windows TOR Client Execution	Multi-hop Proxy	Anomaly
Windows Process Executed From Removable Media	Data from Removable Media, Replication Through Removable Media, Hardware Additions	Anomaly
Windows WPDBusEnum Registry Key Modification	Data from Removable Media, Replication Through Removable Media, Hardware Additions	Anomaly
Windows USBSTOR Registry Key Modification	Data from Removable Media, Replication Through Removable Media, Hardware Additions	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 22	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 12	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`

References

Source: GitHub | Version: 2