dlp-russia

Explanation

The dlp-russia NDM aims to detect potential data loss to Russia. The NDM works by looking for large data transferrs headed towards an IP located in Russia.

What to Look For

When examining results of the dlp-russia event, check for suspicious network traffic to Russian IP addresses or domains. Look for abnormal data transfers to those destinations and analyze endpoint activity to confirm if data exfiltration occurred. Additionally, review user behavior logs to identify potential insiders attempting to leak data to Russia. Incorporate these findings into a robust incident response plan to quickly remediate and contain the potential threat.