Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
424 Views 5 Replies Latest reply: Oct 18, 2013 5:02 PM by eelsasser RSS
cjoshdoll Newcomer 11 posts since
Jul 26, 2013
Currently Being Moderated

Oct 17, 2013 11:51 AM

More information after a DLP trigger

Right now we are just monitoring with the DLP rules.  Basically we just get an email saying the rule was triggered and then I go hit the DLP log created from the builtin rule.

 

I know I can pretty up the email and send more information, but is there more relevant info than what is in the DLP log?  For example, this one hit this morning:

 

[17/Oct/2013:10:31:38 -0500] "-" 10.3.21.61 205.188.138.183 200 "POST http://mail.aol.com/38109-111/aol-6/en-us/common/rpc/RPC.aspx?user=C3MTTH4Rsm&tr ansport=xmlhttp&r=0.8576647616922366&a=SendMessage&m=03242fbf084dfc&l=10504 HTTP/1.1" "SOX Compliance - Compensation and Benefits" "Minimal Risk" "application/json" 1526 204137 "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "0" "" "-"

 

Since that was AOL Mail, it is concerning, but at the same time, might have been nothing, so before we go jumping onto people, it would be nice to have a better idea of the content of the POST.

 

Thanks

 

JD

  • eelsasser McAfee SME 845 posts since
    Mar 24, 2010
    Currently Being Moderated
    1. Oct 17, 2013 12:47 PM (in response to cjoshdoll)
    Re: More information after a DLP trigger

    Double-edged sword.

    Yes, you can log the actual content that was matched on, but that could expose sensitive information.

    Do you want to risk that?

     

    DLP.Classification.BodyText.MatchedClassifications: Payment Card Industry - Credit Card Number Violations

    DLP.Classification.BodyText.MatchedTerms:

    Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

    Classification: 'Payment Card Industry - Credit Card Number Violations': 'n Express [ 378282246310005  ]American E',

    Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

    Classification: 'Payment Card Industry - Credit Card Number Violations': 'sterCard  [ 5555555555554444  ]MasterCard',

    Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

    Classification: 'Payment Card Industry - Credit Card Number Violations': '5100 Visa [ 4111111111111111  ]Visa 40128',

    Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

    Classification: 'Payment Card Industry - Credit Card Number Violations': 'ners Club [ 30569309025904  ]Diners Clu',

    Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

    Classification: 'Payment Card Industry - Credit Card Number Violations': 'Discover  [ 6011111111111117  ]Discover 6'

     

    Message was edited by: eelsasser on 10/17/13 1:47:50 PM EDT
  • eelsasser McAfee SME 845 posts since
    Mar 24, 2010
    Currently Being Moderated
    3. Oct 17, 2013 4:20 PM (in response to cjoshdoll)
    Re: More information after a DLP trigger

    Store DLP.Classification.BodyText.MatchedTerms to a user-defined variable as an event occurs and write it to to the log.

    Because special characters may be contantained in the data string like quotes, i would suggest at least base64encoding them, also to further obfuscate them.

  • eelsasser McAfee SME 845 posts since
    Mar 24, 2010
    Currently Being Moderated
    5. Oct 18, 2013 5:02 PM (in response to cjoshdoll)
    Re: More information after a DLP trigger

    List.OfString.ToString(User-Defined.DLP.MatchedTerms,", ")

     

    It's not just one string, but a list of strings that contains all the violations.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points