Citrix Analytics for Security

Data Exfiltration

Printing from SaaS apps

This occurs when a file is printed from a SaaS application from which printing is not allowed. It detects potential data exfiltration by printing operations in SaaS applications.

Details

Data Source: Apps and Desktops (Citrix Enterprise Browser)

CAS query

Event-Type = "App.SaaS.File.Print" AND SaaS-App-Name = "<App-Name>"

Sigma signature

author: Citrix date: 2023/01/31 description: Printing from SaaS apps detection: condition: selection and not filter_null and filter_saas_app_name filter_saas_app_name: - saas_app_name: '<App-Name>' filter_null: - saas_app_name: null selection: - occurrence_event_type: App.SaaS.File.Print logsource: product: citrixanalytics service: security title: Printing from SaaS apps

Clipboard usage on SaaS apps

This occurs when a cut, copy, or paste activity is done from any SaaS application. It detects potential data exfiltration from SaaS applications in your organization by monitoring the clipboard operations.

Details

Data Source: Apps and Desktops (Citrix Enterprise Browser)

CAS query

Event-Type = "App.SaaS.Clipboard" AND Clipboard-Result = "success" AND Clipboard-Operation IN ( "copy" , "cut" )

Sigma signature

author: Citrix date: 2023/01/31 description: Clipboard usage on SaaS apps detection: condition: selection and not filter_null and filter_clipboard_details_result and filter_clipboard_operation filter_clipboard_details_result: - clipboard_details_result: 'success' filter_clipboard_operation: - clipboard_operation: ['cut', 'copy', '<Other Operation>'] filter_null: - clipboard_operation: null - clipboard_details_result: null selection: - occurrence_event_type: App.SaaS.Clipboard logsource: product: citrixanalytics service: security title: Clipboard usage on SaaS apps
Data Exfiltration