Detects insider data exfiltration by analyzing DLP policy violations, file access patterns, upload volume anomalies, and off-hours activity using pandas for behavioral baselines. Useful for threat investigations and DLP user analytics.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
分析端点活动日志、云存储访问记录和邮件 DLP 事件,使用行为基线和统计异常检测识别数据渗出模式。
Detects insider data exfiltration in endpoint/cloud logs using pandas for DLP violations, upload anomalies, file patterns, and off-hours activity. For threat hunting and SOC analysis.
Detects insider data exfiltration via DLP by analyzing logs for policy violations, file access patterns, upload anomalies, and off-hours activity using pandas.
Detects insider threat behaviors like abnormal data access, off-hours activity, bulk file downloads, privilege abuse, and pre-departure data theft via EDR/SIEM queries. For threat hunting in Splunk, Elastic, CrowdStrike.
Share bugs, ideas, or general feedback.
分析端点活动日志、云存储访问记录和邮件 DLP 事件,使用行为基线和统计异常检测识别数据渗出模式。
import pandas as pd
df = pd.read_csv("file_activity.csv", parse_dates=["timestamp"])
# 基线:每位用户的每日平均上传量
baseline = df.groupby(["user", df["timestamp"].dt.date])["bytes_transferred"].sum()
user_avg = baseline.groupby("user").mean()
# 对超过基线 3 倍的用户发出告警
today = df[df["timestamp"].dt.date == pd.Timestamp.today().date()]
today_totals = today.groupby("user")["bytes_transferred"].sum()
anomalies = today_totals[today_totals > user_avg * 3]
关键指标:
# 检测非工作时间活动
df["hour"] = df["timestamp"].dt.hour
off_hours = df[(df["hour"] < 6) | (df["hour"] > 22)]
suspicious = off_hours.groupby("user").size().sort_values(ascending=False)