SOAR Use Case – Data Exfiltration


Data Exfiltration is one of the most challenging and complicated investigations for security teams. There are different techniques to detect an intruder before exfiltration, but it is extremely difficult to identify the insider exfiltrating the organization’s sensitive data for malicious purposes. It puts the organization’s confidentiality, integrity, and reputation at risk.

In this critical case, it is necessary to identify the privileges of the adversary and respond at an early stage to reduce the risks at stake. If the adversary is an insider, the situation becomes even more severe as the insider could be anyone in the organization’s hierarchy having least to most access to the resources and trust relations in the organization.

The Data Exfiltration case has the following activities at each step of the Cyber Kill Chain:

Data Exfiltration - Workflow


Data exfiltration attempts are detected via alerts from Data Loss Prevention (DLP) control. Moreover, the behavior of outbound emails and network traffic such as C2 connections, protocol abuse, abnormal data transfer, and cloud storage attempts are monitored for possible detections.

Data size limits should also be monitored in a certain time interval. Analysts should also observe the usage of unauthorized applications like “WeTransfer” as well as Internal Staging (WMI calls, windows bits).


DLP, EDR, and Active directory alerts would help to enrich the artifacts of the incident. Information at risk, process details, and user data can be fetched from these controls, respectively. 

Secondly, IoC enrichment should be performed for reputation checking, using multiple OSINT and threat intelligence sources. SIEM logs can also be cross-validated for additional correlation if the IoCs are detected previously.  


Considering the criticality of the stolen data and the privilege sensitivity of the compromised/involved user, decide the severity and the counteractions of the incident as per the hierarchy of the organization. If the insider is found suspicious, the input of the in-line manager may also be required before taking certain containment actions.


There are multiple acts of remediation to choose from, depending on the vector of data exfiltration. One of the possible actions is blocking unauthorized communication channels and IoCs on perimeters. Depending on the mode of exfiltration, a group policy may be applied to revoke user access, USB and Bluetooth. In addition, whitelisting and blacklisting of applications on Edge firewall/endpoints can also be considered. Moreover, it is advisable to enable data encryption both in rest and in transit. It is also important to make sure to back up processes.  Furthermore, educating employees regarding the best practices of data security is always a recommendation to ensure data protection.

SOAR platforms can help automate many of the tasks involved in remediating a data exfiltration incident.  SOAR platforms help organizations in dealing with data exfiltration efficiently in an effective time interval. SIRP playbooks are capable of automating the incident response steps and counter the incident timely reducing the possible impact and risk. 

Automating Exfiltration Incident Response with SIRP

Now, let’s have a look at the SIRP automation playbook workflow for the Exfiltration case.

Ingestion of Alerts

SIRP supports different solutions for the collection of alerts and offenses. Some of the popular solutions are listed below:

  • IBM QRadar
  • RSA NetWitness
  • Splunk
  • Enterprise Security
  • Elastic SIEM
  • Symantec DLP
  • Google DLP
  • Office 365 DLP

Collection of Artifacts

SIRP supports different solutions for the collection of artifacts.

  • IBM QRadar
    • Get events for query
  •  Splunk Enterprise Security
    •  Get user events
    • Get events from last time
  •  FireEye EX
    •  Get Email status statistics
    •  Get Retroactive alerts
  • Windows Defender ATP
    • Collect machine information
  • Windows LDAP
    • Collect User Information
    •  Collect User Group Information
    •  Collect Manager Information


SIRP supports the following Threat Intelligence portal and OSINT platforms:

  • IBM Xforce
    • Collect IP information
    • Collect URL information
  • Blueliv
    • Search CVE
    • Search FQDN
    • Search IP
    • Search SHA2S6
    • Search Threat Actor
  • AbuseIPDB
    • Collect IP reputation
  •  AlienVault
    • Collect IP information
    • Collect Domain information
    • Collect Hostname information
    • Collect URL information
    • Collect hash information

Automated Incident Response Actions

SIRP supports many remediation actions. Depending on the controls placed in the environment, you can set up automated responses. Following are some response actions:

  • Google DLP
    • Create Inspection Job
    • Delete Inspection Job
    • Get Inspection Job
  • FireEye HX
    • Isolate System
    • Acquire File
    • Acquire Triage
  • Trend Micro Apex Central
    • Isolate system
    • Block/Unblock IP, URL, Domain
  • Cisco WSA
    • Block/Unblock IP, URL, and Domain
  • PaloAlto Firewall
    • Block/Unblock IP address as source/destination
    • Block/Unblock URL 
  • FortiGate Firewall
    • Block/Unblock IP address as source/destination
  • Cisco ASA
    • Block IP address as source/destination
  • Juniper SRX Firewall
    • Block/Unblock IP address as source/destination
  • Sophos WAF
    • Block/Unblock IP address as source/destination
    • Block/Unblock URL
  • Windows Defender ATP
    • Block/Unblock IP, URL, Domain
  • Windows LDAP
    • Enable / Disable User
  • IBM QRadar
    • Update IP address reference set
    • Update Email address reference set
    • Update Hash reference set
    • Update URL reference set

SIRP integrates with 100+ popular security tools out of the box, allowing 450+ actions to be completed or automated directly from the platform. SIRP also enables cross-platform integration, so complex, multi-tool processes can be completed in seconds with a single click.

New integrations are available within 72 hours at no additional charge. A complete list of available integrations can be found here:

Start free trial