Citrix Analytics for Security

Data Exfiltration

Printing from SaaS apps

This occurs when a file is printed from a SaaS application from which printing is not allowed. It detects potential data exfiltration by printing operations in SaaS applications.

Details

Data Source: Apps and Desktops (Citrix Enterprise Browser)

CAS query

Event-Type = "App.SaaS.File.Print" AND SaaS-App-Name = "<App-Name>"
<!--NeedCopy-->

Sigma signature

author: Citrix
date: 2023/01/31
description: Printing from SaaS apps
detection:
  condition: selection and not filter_null and filter_saas_app_name
  filter_saas_app_name:
  - saas_app_name: '<App-Name>'
  filter_null:
  - saas_app_name: null
  selection:
  - occurrence_event_type: App.SaaS.File.Print
logsource:
  product: citrixanalytics
  service: security
title: Printing from SaaS apps
<!--NeedCopy-->

Clipboard usage on SaaS apps

This occurs when a cut, copy, or paste activity is done from any SaaS application. It detects potential data exfiltration from SaaS applications in your organization by monitoring the clipboard operations.

Details

Data Source: Apps and Desktops (Citrix Enterprise Browser)

CAS query

Event-Type = "App.SaaS.Clipboard" AND Clipboard-Result = "success" AND Clipboard-Operation IN ( "copy" , "cut" )
<!--NeedCopy-->

Sigma signature

author: Citrix
date: 2023/01/31
description: Clipboard usage on SaaS apps
detection:
  condition: selection and not filter_null and filter_clipboard_details_result and filter_clipboard_operation
  filter_clipboard_details_result:
  - clipboard_details_result: 'success'
  filter_clipboard_operation:
  - clipboard_operation: ['cut', 'copy', '<Other Operation>']
  filter_null:
  - clipboard_operation: null
  - clipboard_details_result: null
  selection:
  - occurrence_event_type: App.SaaS.Clipboard
logsource:
  product: citrixanalytics
  service: security
title: Clipboard usage on SaaS apps
<!--NeedCopy-->
Data Exfiltration