Skill

detecting-insider-data-exfiltration-via-dlp

From asi

Detects insider data exfiltration in endpoint/cloud logs using pandas for DLP violations, upload anomalies, file patterns, and off-hours activity. For threat hunting and SOC analysis.

Python

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When investigating security incidents that require detecting insider data exfiltration via dlp

SKILL.md

Similar Skills

detecting-insider-data-exfiltration-via-dlp

5.9k

Detects insider data exfiltration via DLP by analyzing logs for policy violations, file access patterns, upload anomalies, and off-hours activity using pandas.

3 files

cybersecurity-skills

detecting-insider-data-exfiltration-via-dlp

Detects insider data exfiltration by analyzing DLP policy violations, file access patterns, upload volume anomalies, and off-hours activity using pandas for behavioral baselines. Useful for threat investigations and DLP user analytics.

3 files

cybersecurity-skills-zh

investigating-insider-threat-indicators

Investigates insider threat indicators like data exfiltration, unauthorized access, policy violations, and pre-departure behaviors using SIEM analytics, DLP alerts, and HR correlation. For SOC teams with HR referrals or anomalous data movement.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Detecting Insider Data Exfiltration via DLP

When to Use

When investigating security incidents that require detecting insider data exfiltration via dlp

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Analyze endpoint activity logs, cloud storage access, and email DLP events to detect data exfiltration patterns using behavioral baselines and statistical anomaly detection.

import pandas as pd df = pd.read_csv("file_activity.csv", parse_dates=["timestamp"]) # Baseline: average daily upload volume per user baseline = df.groupby(["user", df["timestamp"].dt.date])["bytes_transferred"].sum() user_avg = baseline.groupby("user").mean() # Alert on users exceeding 3x their baseline today = df[df["timestamp"].dt.date == pd.Timestamp.today().date()] today_totals = today.groupby("user")["bytes_transferred"].sum() anomalies = today_totals[today_totals > user_avg * 3]

Key indicators:

Upload volume exceeding 3x daily baseline

Access to files outside normal scope

Bulk downloads before resignation

Off-hours file access patterns

USB/external device usage spikes

Examples

# Detect off-hours activity df["hour"] = df["timestamp"].dt.hour off_hours = df[(df["hour"] < 6) | (df["hour"] > 22)] suspicious = off_hours.groupby("user").size().sort_values(ascending=False)