topic Re: Large Upload(Generic) Microsoft Teams alerts in Cortex XDR Discussions

Large Upload(Generic) Microsoft Teams alerts

Vijisaga — Wed, 13 Dec 2023 13:37:39 GMT

Hi Team,

We are receiving more alerts 'Large Upload (Generic)' generated by XDR Analytics from Microsoft Teams (ms-teams.exe) and i checked the IPs - Microsoft Corporation (ISP) and Domain -microsoft.com.

I need an answer to the following questions:

1. How the alerts are getting triggered

2. How to Reduce it /mitigation

3. How to investigate it

Pls help on it.....

#Large Upload (Generic) #alerts

Re: Large Upload(Generic) Microsoft Teams alerts

dbahuguna — Wed, 13 Dec 2023 13:53:19 GMT

Hi @Vijisaga

Thank you for reaching out to Palo Alto Networks Live community.

Below are the answers to your questions:

1. How the alerts are getting triggered?

The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.) Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low. For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time. An attacker may be exfiltrating data directly to the internet.

2. How to Reduce it /mitigation?

You can created the Alert Exclusion or Automation rule for the same.
>> Alert Exclusion:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Alert-Exclusions

>> Automation rule:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Automation-Rules

3. How to investigate it?

Investigative actions:
>> Check if the traffic is related to SSH activity, it can trigger this alert. It is possible that someone on your network is legitimately engaged in SSH activity.
>> Check if the traffic is to/from a misconfigured network.
>> Check if the traffic is to a new external service or server that has recently been adopted for use by an organization in your enterprise.
>> Identify the process/user performing the data transfer to determine if the transfer is sanctioned.

Please find the below helpful document for Cortex XDR Analytics Alert Reference:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/Required-Data-Sources

Please find the below helpful document for Cortex XDR Analytics Alert Reference/Large-Upload-Generic:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/Large-Upload-Generic

Hope this will be helpful!

Please mark the response as "Accept as Solution" if it answers your query.

Re: Large Upload(Generic) Microsoft Teams alerts

Vijisaga — Wed, 13 Dec 2023 15:46:45 GMT

Thanks for your response! @dbahuguna

why most of the alerts are triggered from Microsoft Teams (ms-teams.exe)?

Re: Large Upload(Generic) Microsoft Teams alerts

tlmarques — Mon, 18 Dec 2023 18:20:37 GMT

I have the same problem. But in my case, I opened a case with the support team...
The answer was, every call with screen sharing, document sharing, etc... XDR will create an alert.

The only chance of this not appear is accept the risk and create a pre process rule.

Please mark the response as "Accept as Solution" if it answers your query.

Re: Large Upload(Generic) Microsoft Teams alerts

Vijisaga — Tue, 19 Dec 2023 12:31:22 GMT

Thanks for the response @tlmarques

Some of the users confirmed that they haven't shared any data through ms-teams. so, in this case, what action needs to be performed? @tlmarques @dbahuguna

Re: Large Upload(Generic) Microsoft Teams alerts

tlmarques — Tue, 19 Dec 2023 17:19:22 GMT

in my case, when users start a meeting and sharing screen, the alert appear. but

Re: Large Upload(Generic) Microsoft Teams alerts

tlmarques — Tue, 19 Dec 2023 17:44:26 GMT

confirm whether the destination IP is Microsoft Teams or not...
see this from the IP in the XDR Alert information and compare with the link "Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Learn"

Then open a case with the support team....

Hope this will be helpful!