Web File Upload Exfiltration

Detection

When a file is uploaded to the Web, it can be detected by the Agent. You can set up rules to detect an alert.

You can view paste from clipboard activity in the Data Security Workbench applications using the Web FIle Upload filter.

Prevention

You can create prevention rules to block exfiltration of text via Web File Upload.

The following conditions can be used in Prevention Rules on Web File Upload:

  • Indicator/Detector Name: (Detector > Indicator/Detector Name) Selected detector value.

  • Users name: (User > User Name) Name of the monitored user

  • Group Name: (User > Group Names) Group with monitored user

  • Group from Catalog (User > Group from Catalog): (From Microsoft Entra ID (Microsoft Azure AD))

  • URL Hostname IP: (Website > URL Hostname IP)

  • Classification Labels: (Files/Resources > Classification Labels)

  • File Name: (Files/Resources > File Name): File exfiltration by file name

  • Resource URL: (Files/Resources > Resource URL): Target URL to which file is being uploaded

  • Resource URL Domain:  (Files/Resources > Resource URL Domain): IP address of the URL domain (hostname) by resolving it via DNS during user activity

  • Content Type:  (Files/Resources > Content Type)

  • Extension: (Files/Resources > Extension)

  • Size: (Files/Resources > Size): (Files/Resources > Size)

  • Tracking Resource URL: (Files/Resources > Tracking Resource URL)

Additional Web File Upload Features

Prevent File Exfiltration via Drag & Drop from Applications to Web

The Windows Agent supports blocking file uploads via Drag & Drop from select applications that act as file containers.

Previously, Drag & Drop from applications other than File Explorer was not fully prevented. Users received a warning message instructing them to use File Explorer instead.

The Agent actively blocks Drag & Drop Web uploads from the following supported file container applications:

  • Classic Microsoft Outlook - new Outlook is not currently supported
  • Snagit

Known Issues/Behaviors

  • When the Realm Setting Resume web upload operation automatically is disabled, users may receive repeated prompts to re-upload files—even if the initial content scan finds no sensitive data. This can happen when users attempt to upload the same files again after the first prompt. To prevent workflow disruptions, it is strongly recommended to keep this setting enabled.

  • Detection-only mode is not supported for this activity (as in version prior to 4.3). If Prevention is disabled on the Agent Realm, the agent will not detect or report drag & drop actions to the backend.

Support for Creating Prevention Rules Based on URL Domain

Prevention Rules for Web File Upload actions can now be created using the Resource URL Domain field within the Files/Resources entity.

Previously, rules could only be defined using the full Resource URL, requiring the Contains operator, which could lead to false positives.

The Resource URL Domain field—representing the hostname of the URL—enables more precise rule creation using exact domain matches.

Key Benefits:

  • Reduces false positives by eliminating the need for partial URL matching.

  • Provides more accurate control over web file upload prevention policies.

This field has long been available for Detection Rules and Exploration.

Example Mappings:

URL Resource URL Domain
URL - http://www.weather.com/summer/temperatures.html www.weather.com
URL - https://mail.google.com/mail/ca

mail.google.com