https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rules-for-onedrive-file-uploads-exfiltration/m-p/599093#M7250 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/315565">@Melvin_Machado</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>What is the severity configured to this custom BIOC rule? Only Medium to Critical alerts will generate an Incident, and if the host generating it is always the same, the alerts should be added to the same Incident.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Mon, 30 Sep 2024 14:45:22 GMT jmazzeo 2024-09-30T14:45:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rules-for-onedrive-file-uploads-exfiltration/m-p/598967#M7241 <P>Hello,</P> <P>&nbsp;</P> <P>I have encountered an issue where some users in my organization are uploading large files (around 100 GB) to their personal OneDrive accounts using public Microsoft domains. Currently, Cortex is allowing these actions without signaling them.</P> <P>To address this, I created my own BIOC rules, which are functioning well :</P> <P>&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="100%">preset = network_story<BR />| filter dst_action_external_hostname in ("*.onedrive.com", "*.onedrive.live.com") and action_total_upload &gt; 1000000</TD> </TR> </TBODY> </TABLE> <P><BR /><BR />However, I'm facing two challenges:</P> <OL> <LI>Multiple alerts are being generated, but no Incident (INC) is being created.</LI> <LI>How can I consolidate these alerts to generate only one alert (instead of 20) when a user uploads files to OneDrive?</LI> </OL> <P>I would appreciate your guidance on resolving these issues.</P> <P>&nbsp;</P> <P>Thank you!</P> Fri, 27 Sep 2024 14:51:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rules-for-onedrive-file-uploads-exfiltration/m-p/598967#M7241 Melvin_Machado 2024-09-27T14:51:54Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rules-for-onedrive-file-uploads-exfiltration/m-p/599093#M7250 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/315565">@Melvin_Machado</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>What is the severity configured to this custom BIOC rule? Only Medium to Critical alerts will generate an Incident, and if the host generating it is always the same, the alerts should be added to the same Incident.</P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Mon, 30 Sep 2024 14:45:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rules-for-onedrive-file-uploads-exfiltration/m-p/599093#M7250 jmazzeo 2024-09-30T14:45:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rules-for-onedrive-file-uploads-exfiltration/m-p/599158#M7253 <P>Hello Jmazzeo,</P> <P>&nbsp;</P> <P>When I change the severity to Medium, it creates an incident and merges all the alerts as expected&nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>However, I’m facing another issue now. An alert is being generated even when only 4 KB is uploaded.</P> <P>I would like the system to trigger an alert only when more than 10 MB is uploaded. Could you help me adjust this setting?</P> <P>&nbsp;</P> <P>Thank you!</P> Tue, 01 Oct 2024 08:36:26 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rules-for-onedrive-file-uploads-exfiltration/m-p/599158#M7253 Melvin_Machado 2024-10-01T08:36:26Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rules-for-onedrive-file-uploads-exfiltration/m-p/599164#M7254 <P>Thank you for your help! I found a solution.</P> <P>&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="100%">preset = network_story<BR />| filter dst_action_external_hostname in ("*.onedrive.com", "*.onedrive.live.com")<BR />| filter action_total_upload &gt; 10485760</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> Fri, 18 Oct 2024 14:31:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rules-for-onedrive-file-uploads-exfiltration/m-p/599164#M7254 Melvin_Machado 2024-10-18T14:31:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rules-for-onedrive-file-uploads-exfiltration/m-p/995761#M7511 <P>| filter action_total_upload &gt; 80000000 // bit (10 Mo)</P> Fri, 29 Nov 2024 15:25:12 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bioc-rules-for-onedrive-file-uploads-exfiltration/m-p/995761#M7511 Melvin_Machado 2024-11-29T15:25:12Z