Detecting Credit Card Exfiltration

In this example, credit card data exfiltration is detected. Exfiltration may be through upload or USB copy.

For this example, Content Scanning must be enabled. (See .)

It is recommended that setting up this case, after the Agent has been collecting information for a few days. Then generate a few sample events to confirm the use case configuration works correctly.

In this example, content scanning has been enabled in the Agent Realm with the following options:

  • Scan Triggers: All scan triggers are selected

  • DLP Detectors: Credit card number is a selected value

  • Snippets: Enabled

Get Started

Set up the Exploration to detect Web File Upload activity.

  1. Open a new Exploration. From the Proofpoint Information and Cloud Security Platform, select the Analytics app.

  2. From the left side-menu, select ActivityExplorations. Click New Exploration button.

  3. Your new exploration opens and you see the source node with the default region, time and source. By default, a new Exploration shows all events captured for the past 24 hours, without any filtering applied.

  4. Hover over this first filter and click the pencil button to edit the filter.

    A pane on the right opens.

  5. In the Filter byTime area, in Over the last, select 7d. All the data over the past 7 days will display. Click Done.

  6. Now, define the activities. Click + (add filter button) to add a new filter. A pane opens on the right.

  7. Select Primary CategoryWeb File Upload and Copy to USB.

    Type Primary Category in Search Fields to locate this field.

    If Detector is not available, you do not have an Content Scanning events in our current timeline. Either expand the first filter’s time range filter to include more days or generate a sample event of file upload or USB copy with credit card data in it.

  8. Click + (add filter button) to add a new filter. This is the detector you want to use. Select IndicatorTypeDetector,

  9. From the list, select the values you want. For this example, select credit card number and then click Done.

  10. You see the results in the table.

  11. Click any result to see more information.

ITM / DLP Explorations and Common Use Cases

ITM / Endpoint DLP Use Cases