https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-from-which-source-rule/m-p/511118#M2470 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>&nbsp;</P> <P>Additionally&nbsp; to what Afurze mentioned (with very good criteria by the way) inspecting the alert on our documentation, please investigate the specific endpoint. And maybe talk to the user and/or manager of the endpoint group to see if this endpoint has changed the role in the organization, maybe now it is used to transfer legit info to a legit site ? (customer of yours, provider, other organization you cooperate with...) check with them and also with XDR if a new app has been installed there a bit earlier than the exfiltration ocurred, if the user logged in by the time of potential exfiltration was a legit one and also if the time of data transfer is "normal business hours??", check the type of loggin of the user by that time, was he sitting on the endpoint ? was it a remote/network login ? the IP of the connection in case of the user was remotely connecting ? is it legit location ?&nbsp;</P> <P>Maybe investigating the CGO you can find the app/process that is the culprit of the suspicious action ?</P> <P>Having our Identity Analytics (and so Cloud Identity Engine) enabled will also focus through AD data on the behaviour over time of the suspected user and endpoint.&nbsp;<BR />Just some clues to perform the incident investigation and the determination of the actual root cause of the incident.&nbsp;</P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>&nbsp;</P> <P>Luis</P> Fri, 05 Aug 2022 14:00:25 GMT eluis 2022-08-05T14:00:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-from-which-source-rule/m-p/511029#M2460 <P>Hello!</P> <P>&nbsp;</P> <P>We have some alerts which show us a large upload.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RFeyertag_0-1659634616953.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/42983i1419BFABF17CFCCB/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="RFeyertag_0-1659634616953.png" alt="RFeyertag_0-1659634616953.png" /></span></P> <P>&nbsp;</P> <P>My problem is now, I saw other clients uploading a ton of bytes, but this Alert wasn't fired.&nbsp;</P> <P>I also cannot find any Rule for this.&nbsp;</P> <P>Where is it comming from?&nbsp;</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 04 Aug 2022 17:42:45 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-from-which-source-rule/m-p/511029#M2460 RFeyertag 2022-08-04T17:42:45Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-from-which-source-rule/m-p/511049#M2462 <P>Hi RFeyertag,</P> <P>&nbsp;</P> <P data-unlink="true">This is an Analytics alert, specifically&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/large-upload-https" target="_self">Large Upload (https)</A>. The Analytics engine examines data from the XDR agents which have Pro capabilities enabled as well as NGFW logs if you have a Pro per TB license.&nbsp; The Analytics Engine creates a baseline of normal activity in the environment and then looks for anomalies, each alert has its own baseline period and test period, you can read more in the link above for this specific alert.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">The rule does not look only at upload size, it is also looking for sites that clients are not uploading large amounts of data to and that the endpoint in question has not downloaded a large amount of data from.&nbsp; The check is to look for potential data exfiltration from your network.</P> Thu, 04 Aug 2022 18:05:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-from-which-source-rule/m-p/511049#M2462 afurze 2022-08-04T18:05:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-from-which-source-rule/m-p/511063#M2463 <P>Thanks a lot!&nbsp;<span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></P> Thu, 04 Aug 2022 18:17:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-from-which-source-rule/m-p/511063#M2463 RFeyertag 2022-08-04T18:17:26Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-from-which-source-rule/m-p/511118#M2470 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>&nbsp;</P> <P>Additionally&nbsp; to what Afurze mentioned (with very good criteria by the way) inspecting the alert on our documentation, please investigate the specific endpoint. And maybe talk to the user and/or manager of the endpoint group to see if this endpoint has changed the role in the organization, maybe now it is used to transfer legit info to a legit site ? (customer of yours, provider, other organization you cooperate with...) check with them and also with XDR if a new app has been installed there a bit earlier than the exfiltration ocurred, if the user logged in by the time of potential exfiltration was a legit one and also if the time of data transfer is "normal business hours??", check the type of loggin of the user by that time, was he sitting on the endpoint ? was it a remote/network login ? the IP of the connection in case of the user was remotely connecting ? is it legit location ?&nbsp;</P> <P>Maybe investigating the CGO you can find the app/process that is the culprit of the suspicious action ?</P> <P>Having our Identity Analytics (and so Cloud Identity Engine) enabled will also focus through AD data on the behaviour over time of the suspected user and endpoint.&nbsp;<BR />Just some clues to perform the incident investigation and the determination of the actual root cause of the incident.&nbsp;</P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>&nbsp;</P> <P>Luis</P> Fri, 05 Aug 2022 14:00:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/alert-from-which-source-rule/m-p/511118#M2470 eluis 2022-08-05T14:00:25Z