| Incident Type | Example | Initial Response | |---------------|---------|------------------| | | Single large transfer to new IP | Verify with user, add to watchlist | | Tier 2 – Unauthorized access | Compromised user account used for transfer | Force password reset, revoke API keys, isolate endpoint | | Tier 3 – Data exfiltration | 500 GB of source code transferred to competitor ASN | Block source IP via firewall, suspend FileCatalyst service, initiate breach notification | | Tier 4 – Ransomware via HotFolder | Encrypted files appear in incoming folder | Quarantine the FileCatalyst server, disconnect from network, restore from backup |
| Use Case | Query Logic | Severity | |----------|-------------|----------| | | event_type="login_failure" | stats count by src_ip > 5 in 1 min | High | | Anonymous transfer | user="anonymous" AND bytes_transferred > 10485760 | Critical | | Off-hours exfiltration | time between 22:00-06:00 AND direction="outbound" AND user!=service_account | Medium | | Deleted audit trail | log_message contains "audit log cleared" OR "transfer.log truncated" | Critical | filecatalyst detection and response