https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/creating-bioc-rule-for-large-ftp-sessions/m-p/560661#M5271 <P>Hi Everyone,</P> <P>I'm new to Cortex XDR and looking to enhance our network security alerts. I want to create a BIOC rule that triggers an alert whenever a data transfer larger than 100MB occurs between two devices (Local IP to Remote IP). This will help us monitor potentially malicious data transfers or data exfiltration.</P> <P>While we receive XDR Analytic Alerts for certain applications like Microsoft Teams uploading large amounts of data to remote servers, I'd like to implement a similar alerting mechanism for FTP/SFTP or any file transfer protocol. <BR /><BR />Currently, I'm using a query example from the Query Library (attached), but it's not providing results for FTP. It works when I replace "FTP" with "SMB" or other protocols.</P> <P>Is there something I'm missing, or do I need to set up the FTP Collector apllet on the BrokerVM to achieve this goal?</P> <P>Your insights and guidance would be greatly appreciated.</P> <P>Thanks in advance!<BR /><BR />Just to clarify: I want an alert when data uploaded/downloaded is more than a certain size displaying Local and Remote IP table.</P> Thu, 05 Oct 2023 10:52:17 GMT GoatBloke 2023-10-05T10:52:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/creating-bioc-rule-for-large-ftp-sessions/m-p/560661#M5271 <P>Hi Everyone,</P> <P>I'm new to Cortex XDR and looking to enhance our network security alerts. I want to create a BIOC rule that triggers an alert whenever a data transfer larger than 100MB occurs between two devices (Local IP to Remote IP). This will help us monitor potentially malicious data transfers or data exfiltration.</P> <P>While we receive XDR Analytic Alerts for certain applications like Microsoft Teams uploading large amounts of data to remote servers, I'd like to implement a similar alerting mechanism for FTP/SFTP or any file transfer protocol. <BR /><BR />Currently, I'm using a query example from the Query Library (attached), but it's not providing results for FTP. It works when I replace "FTP" with "SMB" or other protocols.</P> <P>Is there something I'm missing, or do I need to set up the FTP Collector apllet on the BrokerVM to achieve this goal?</P> <P>Your insights and guidance would be greatly appreciated.</P> <P>Thanks in advance!<BR /><BR />Just to clarify: I want an alert when data uploaded/downloaded is more than a certain size displaying Local and Remote IP table.</P> Thu, 05 Oct 2023 10:52:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/creating-bioc-rule-for-large-ftp-sessions/m-p/560661#M5271 GoatBloke 2023-10-05T10:52:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/creating-bioc-rule-for-large-ftp-sessions/m-p/560741#M5278 <P>Hi GoatBloke,&nbsp;</P> <P>&nbsp;</P> <P><SPAN>There is an existing Analytics alert for</SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/Large-Upload-FTP" target="_blank"> <SPAN>Large Upload (FTP) </SPAN></A><SPAN>where our analytics engine identifies anomalous upload activity outside of the activity baseline established for the endpoint.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>The Cortex XDR - Analytics alerts are detect-only and are heavily dependent upon receiving logs from network devices that would have been involved in transmitting the exfiltrated files. Please ensure that you have the appropriate license and onboarded NGFW logs to your tenant. Ingesting logs from Next-Generation Firewall requires a Cortex XDR Pro per GB license.</SPAN></P> <P>&nbsp;</P> <P>In regard to<SPAN>&nbsp;the XQL query, please note not all BIOCs can be applied as Custom Prevention Rules. Reference </SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-a-BIOC-Rule" target="_blank"><SPAN>Create a BIOC Rule • Cortex XDR Pro Administrator Guide</SPAN></A></P> <P><SPAN>The following describes the event_type values for which you can create a BIOC rule.</SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>FILE—Events relating to file create, write, read, and rename according to the file name and path.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>INJECTION—Events related to process injections.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>LOAD_IMAGE—Events relating to module IDs of processes.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>NETWORK—Events relating to incoming and outgoing network, filed IP addresses, port, host name, and protocol.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>PROCESS—Events relating to execution and injection of a process name, hash, path, and CMD.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>REGISTRY—Events relating to registry write, rename and delete according to registry path.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>STORY—Events relating to a combination of firewall and endpoint logs over the network.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>EVENT_LOG—Events relating to Windows event logs and Linux system authentication logs.</SPAN></LI> </UL> <P><SPAN>Also, here is a LIVEcommunity walkthrough video on how to create custom prevention rules via BIOC’s:</SPAN><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-videos/custom-prevention-rules/ta-p/347271" target="_blank"> <SPAN>https://live.paloaltonetworks.com/t5/cortex-xdr-videos/custom-prevention-rules/ta-p/347271</SPAN></A></P> <P>&nbsp;</P> <P>If you found this response helpful, please Like and select Accept as Solution.&nbsp;</P> <P>&nbsp;</P> <P>Thank you!</P> <P>&nbsp;</P> Thu, 05 Oct 2023 20:27:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/creating-bioc-rule-for-large-ftp-sessions/m-p/560741#M5278 jtalton 2023-10-05T20:27:14Z