https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/false-positives-microsoft-teams-large-upload/m-p/571199#M2948 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/307134">@tlmarques</a>&nbsp;,</P> <P>&nbsp;</P> <P>Normally, preprocessing script should discard those incidents if configured properly. I need to see your script and the raw data coming from the incident to be able to help. If you are still facing the issue, please try to provide relevant part from incident data with demisto.incident() and your preprocessing script.</P> Fri, 29 Dec 2023 09:14:24 GMT gyldz 2023-12-29T09:14:24Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/false-positives-microsoft-teams-large-upload/m-p/566865#M2853 <P>Hey,</P> <P><BR />I need your help.</P> <P>We are receiving alerts "XDR Incident 945 - 'Large upload (generic)' generated by #XDR Analytics detected...</P> <P>&nbsp;</P> <P>Basically, this appears when the user makes a call, shares documents, or shares their screen (using Microsoft Teams).</P> <P>&nbsp;</P> <P>In the #XSOAR event I can see that the processname is ms-teams.exe and the destination ip is from Microsoft Azure networks</P> <P>&nbsp;</P> <P>I know this is related to screen sharing because it has happened to my user/laptop.</P> <P>I tried to create a pre-process rule to do autoclose....in the test... pre-process it works, in practice it doesn't.<BR />Does this situation happen to everyone?<BR />any suggestion??<BR /><BR /></P> Thu, 23 Nov 2023 12:11:38 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/false-positives-microsoft-teams-large-upload/m-p/566865#M2853 tlmarques 2023-11-23T12:11:38Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/false-positives-microsoft-teams-large-upload/m-p/571199#M2948 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/307134">@tlmarques</a>&nbsp;,</P> <P>&nbsp;</P> <P>Normally, preprocessing script should discard those incidents if configured properly. I need to see your script and the raw data coming from the incident to be able to help. If you are still facing the issue, please try to provide relevant part from incident data with demisto.incident() and your preprocessing script.</P> Fri, 29 Dec 2023 09:14:24 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/false-positives-microsoft-teams-large-upload/m-p/571199#M2948 gyldz 2023-12-29T09:14:24Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/false-positives-microsoft-teams-large-upload/m-p/571618#M2958 <P>Hi</P> <P>I've found the problem... missing parameter on incoming mapper.</P> <P>&nbsp;</P> Wed, 03 Jan 2024 15:11:24 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/false-positives-microsoft-teams-large-upload/m-p/571618#M2958 tlmarques 2024-01-03T15:11:24Z