Dropbox
Communication and Collaboration
Dropbox - Cloud storage service for file sharing and collaboration.
Detection Rules for Dropbox
These detection rules are designed to enhance Dropbox security by monitoring for unusual access patterns, unauthorized data sharing, and abnormal login behaviors, aiming to safeguard against unauthorized access and data exfiltration. They address critical aspects of Dropbox as a cloud-based storage and collaboration tool, ensuring sensitive file protection and alerting on suspicious activities.
Provider: Dropbox
| Detection Rule | MITRE Tactic | MITRE Technique | Criticality | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Unauthorized File Access | Initial Access | T1071.001 - Application Layer Protocol: Web Protocols | High | ||||||
|
|||||||||
| Data Exfiltration via Dropbox | Exfiltration | T1041 - Exfiltration Over Command and Control Channel | Critical | ||||||
|
|||||||||
| Suspicious File Sharing Activity | Command and Control | T1071.001 - Application Layer Protocol: Web Protocols | Medium | ||||||
|
|||||||||
| Large Volume File Downloads | Exfiltration | T1041 - Exfiltration Over Command and Control Channel | Medium | ||||||
|
|||||||||
| Malware Delivery via File Uploads | Execution | T1203 - Exploitation for Client Execution | Critical | ||||||
|
|||||||||
| Credential Theft from Dropbox | Credential Access | T1081 - Credentials in Files | High | ||||||
|
|||||||||
| Unauthorized API Access | Credential Access | T1078 - Valid Accounts | High | ||||||
|
|||||||||
| Phishing Campaigns Using Dropbox Links | Initial Access | T1566 - Phishings | Critical | ||||||
|
|||||||||
| Account Takeover Attempts | Credential Access | T1078 - Valid AccountsDiscovery | High | ||||||
|
|||||||||
| File Integrity Manipulation | Execution | T1203 - Exploitation for Client Execution | Medium | ||||||
|
|||||||||
APIs and Their Scopes
| Detections Name | API Required | Scope Required | Usage |
|---|---|---|---|
| Unauthorized File Access | Dropbox API (File Access) | files.metadata.read, files.content.read | Access to read metadata and content of files to monitor access. |
| Data Exfiltration via Dropbox | Dropbox API (File Download) | files.content.read | Used to track file downloads and identify large transfers. |
| Suspicious File Sharing Activity | Dropbox API (Shared Links) | sharing.read | Access to shared link settings and logs for suspicious activity. |
| Large Volume File Downloads | Dropbox API (File Download) | files.content.read | Monitors download activity to detect abnormal behavior. |
| Malware Delivery via File Uploads | Dropbox API (File Upload) | files.content.write, files.metadata.read | Checks uploads for potential malware signatures and content. |
| Credential Theft from Dropbox | Dropbox API (Account Activity) | account.read | Access to user account activity logs to track credential usage. |
| Unauthorized API Access | Dropbox API (Account Management) | team.read | Allows tracking of API token usage and management for security. |
| Phishing Campaigns Using Dropbox Links | Dropbox API (Shared Links) | sharing.read | Queries shared link logs to identify potential phishing attempts. |
| Account Takeover Attempts | Dropbox API (Login Activity) | account.read | Access to login activity logs to monitor for suspicious attempts. |
| File Integrity Manipulation | Dropbox API (File Metadata) | files.metadata.read | Checks file version history and changes for integrity verification. |
Reports and Widgets for CISO
| Report Name | Widgets | Description |
|---|---|---|
| Unauthorized Access Overview | Bar Chart: Count of unauthorized access attempts by user. | Summarizes instances of unauthorized file access attempts. |
|
Pie Chart: Sources of unauthorized access (IP addresses). Table: Details of unauthorized access events (date, file, user). |
||
| Data Exfiltration Attempts |
Line Chart: Trends in data transfers over time. |
Highlights detected attempts of data exfiltration. |
|
Bar Chart: Count of exfiltration attempts by file type. List: Top files targeted for exfiltration. |
||
| File Sharing Activity Report |
Bar Chart: Number of files shared by users. |
Provides insights into file sharing practices and anomalies. |
|
Heatmap: Times of peak sharing activity. Table: List of files shared externally with user details. |
||
| Malware Detection Report |
Bar Chart: Count of malware detections by file type. |
Reports on detected malware in uploaded files. |
|
Table: Details of malware detections (file name, user, date). Pie Chart: Distribution of malware types detected. |
||
| User Activity Analysis |
Dashboard: Summary of user activity metrics. |
Monitors user activity patterns and identifies anomalies. |
|
Bar Chart: Most active users. Line Chart: Trends in user login attempts over time. |
||
| Account Security Overview |
Map: Geographical distribution of logins. |
Summarizes account security events, including logins and access. |
|
Table: List of accounts with multiple failed login attempts. Bar Chart: Count of login attempts by user. |
||
| Phishing Campaign Summary |
Line Chart: Trends in detected phishing attempts. |
Provides insights into detected phishing attempts using Dropbox links. |
|
Table: Details of phishing attempts (link, user, date). Pie Chart: Sources of phishing links detected. |