Overview
The All File Activity add-on, also called all file metadata (AFM), provides additional visibility into file activity within your organization by tracking file created, modified, and deleted events. While this activity does not typically indicate an immediate exfiltration risk, it can provide additional context for detecting and investigating insider risks.
Considerations
- The All File Activity add-on is available for all Incydr product plans.
- The add-on captures three additional file event actions for endpoint activity: created, modified, and deleted.
- Created, modified, and deleted file events are visible in Forensic Search. However, since they are not exfiltration events, these events generally do not contain risk scores and therefore do not appear in Incydr dashboards and alerts.
Use cases
The All File Activity add-on enables you to monitor and investigate non-exfiltration file activity. Common use cases include:
- Data infiltration detection: File created events can help identify files brought into the organization by new employees during their onboarding period.
- Detailed file history: The inclusion of file creation, modification, and deletion events provides the full history of a file. This can help investigate file activity prior to an exfiltration event.
- Data sabotage via deletion: File deleted events can show you anomalous activity such as targeted file deletion or mass file deletion. Unusual file deletion may indicate malicious activity. It may also indicate a user is preparing to leave the company.
- Lateral data movement: Track the movement of sensitive files and critical assets to see who created or modified them.
- More context for data integrations: If you export Incydr event data to external SIEM or UEBA tools, the added metadata for file created, modified, and deleted events can provide valuable context for broader security analytics. (Requires full API access.)
Comments
0 comments
Please sign in to leave a comment.