This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

BIOC Rules for OneDrive File Uploads | Exfiltration

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

BIOC Rules for OneDrive File Uploads | Exfiltration

Go to solution
Melvin_Machado
L1 Bithead

‎09-27-2024 05:31 AM - edited ‎09-27-2024 07:51 AM

Hello,

 

I have encountered an issue where some users in my organization are uploading large files (around 100 GB) to their personal OneDrive accounts using public Microsoft domains. Currently, Cortex is allowing these actions without signaling them.

To address this, I created my own BIOC rules, which are functioning well :

 

preset = network_story
| filter dst_action_external_hostname in ("*.onedrive.com", "*.onedrive.live.com") and action_total_upload > 1000000



However, I'm facing two challenges:

  1. Multiple alerts are being generated, but no Incident (INC) is being created.
  2. How can I consolidate these alerts to generate only one alert (instead of 20) when a user uploads files to OneDrive?

I would appreciate your guidance on resolving these issues.

 

Thank you!

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Melvin_Machado
L1 Bithead

‎10-01-2024 03:07 AM

Thank you for your help! I found a solution.

 

preset = network_story
| filter dst_action_external_hostname ="*.onedrive.com" or dst_action_external_hostname = "*.onedrive.live.com"
| filter action_total_upload > 10485760

View solution in original post

3 REPLIES 3

Go to solution
jmazzeo
L4 Transporter

‎09-30-2024 07:45 AM

Hi @Melvin_Machado, thanks for reaching us using the Live Community.

 

What is the severity configured to this custom BIOC rule? Only Medium to Critical alerts will generate an Incident, and if the host generating it is always the same, the alerts should be added to the same Incident.

 

If this post answers your question, please mark it as the solution.

JM
(1)

Go to solution
Melvin_Machado
L1 Bithead
In response to jmazzeo

‎10-01-2024 01:36 AM

Hello Jmazzeo,

 

When I change the severity to Medium, it creates an incident and merges all the alerts as expected 🙂

However, I’m facing another issue now. An alert is being generated even when only 4 KB is uploaded.

I would like the system to trigger an alert only when more than 10 MB is uploaded. Could you help me adjust this setting?

 

Thank you!

0 Likes Likes

Go to solution
Melvin_Machado
L1 Bithead

‎10-01-2024 03:07 AM

Thank you for your help! I found a solution.

 

preset = network_story
| filter dst_action_external_hostname ="*.onedrive.com" or dst_action_external_hostname = "*.onedrive.live.com"
| filter action_total_upload > 10485760
  • 1 accepted solution
  • 326 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks