IR-005data-lossv1.0.0

Data Exfiltration via DLP Alert

⚠️ high⚠️ critical

⏱ Est. Time60m

📋 Steps10 steps

🔧 Tools5 required

🔗 Integrations5 platforms

📊 Avg Resolution120m

★ View on GitHub

🎯 MITRE ATT&CK

T1048 T1048.003 T1041 T1567.002 T1052.001 T1530 T1213

🔧 Tools Required

dlp platformcasbsiemedrproxy

⚡ Triggers

dlp_policy_violationcasb_alertsiem_large_data_transferemail_dlp_blockendpoint_dlp_alert

🔌 Integrations

req

microsoft purview

Microsoft Purview DLP — email, SharePoint, OneDrive, Teams, endpoint

opt

forcepoint dlp

Alternative enterprise DLP — network and endpoint coverage

opt

netskope

CASB and inline DLP for cloud app data movement

opt

crowdstrike falcon

Endpoint DLP and USB activity monitoring

req

splunk

SIEM correlation across DLP, proxy, and email logs

Click each step to expand the full procedure, automation hints, and expected outputs.

Review the DLP alert details: policy triggered, data classification (PII, PCI, PHI, IP, Confidential), file name, data volume, and detection confidence. Determine data sensitivity level. Assess if this is a true positive (actual exfiltration attempt) or a false positive (authorized transfer, miscategorized data). Avoid over-escalation on low-confidence alerts.

⚡ Automation Hint

Microsoft Purview: GET https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=serviceSource eq 'microsoftPurview' Forcepoint DLP: GET https://<dlp_server>/api/incidents/{incident_id} Netskope: GET https://<tenant>.goskope.com/api/v1/alerts?token=<token>&type=dlp

📤 Outputs

alert_iddata_classificationconfidence_scoreuser_identitydestination