Analytics Story: Data Protection

Updated Date: 2026-05-13 ID: 91c676cf-0b23-438d-abee-f6335e1fce33 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.

Why it matters

Attackers can leverage a variety of resources to compromise or exfiltrate enterprise data. Common exfiltration techniques include remote-access channels via low-risk, high-payoff active-collections operations and close-access operations using insiders and removable media. While this Analytic Story is not a comprehensive listing of all the methods by which attackers can exfiltrate data, it provides a useful starting point.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows Process Executed From Removable Media	Data from Removable Media, Replication Through Removable Media, Hardware Additions	Anomaly
Windows TOR Client Execution	Multi-hop Proxy	Anomaly
Windows USBSTOR Registry Key Modification	Data from Removable Media, Replication Through Removable Media, Hardware Additions	Anomaly
Detect hosts connecting to dynamic domain providers	Drive-by Compromise	TTP
Windows WPDBusEnum Registry Key Modification	Data from Removable Media, Replication Through Removable Media, Hardware Additions	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 12	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`

References

Source: GitHub | Version: 2