“If you see a successful login, followed by the exfiltration of that file, then an alert is generated” If you don’t know that a user has access to a file, you can’t stop it from accessing it. If you’re not stopping it, it’s probably because the credentials are stolen, so it’s not clear why it’s allowed to be there. If a user is authorized to access a file that’s not a legitimate, it can’t be blocked, it will be a violation of the law.”]
Source: https://taosecurity.blogspot.com/2008/10/security-event-correlation-looking-back_4144.html

