BIOC Rules for OneDrive File Uploads | Exfiltration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

BIOC Rules for OneDrive File Uploads | Exfiltration

L1 Bithead

Hello,

 

I have encountered an issue where some users in my organization are uploading large files (around 100 GB) to their personal OneDrive accounts using public Microsoft domains. Currently, Cortex is allowing these actions without signaling them.

To address this, I created my own BIOC rules, which are functioning well :

 

preset = network_story
| filter dst_action_external_hostname in ("*.onedrive.com", "*.onedrive.live.com") and action_total_upload > 1000000



However, I'm facing two challenges:

  1. Multiple alerts are being generated, but no Incident (INC) is being created.
  2. How can I consolidate these alerts to generate only one alert (instead of 20) when a user uploads files to OneDrive?

I would appreciate your guidance on resolving these issues.

 

Thank you!

1 accepted solution

Accepted Solutions

L1 Bithead

Thank you for your help! I found a solution.

 

preset = network_story
| filter dst_action_external_hostname ="*.onedrive.com" or dst_action_external_hostname = "*.onedrive.live.com"
| filter action_total_upload > 10485760

View solution in original post

3 REPLIES 3

L4 Transporter

Hi @Melvin_Machado, thanks for reaching us using the Live Community.

 

What is the severity configured to this custom BIOC rule? Only Medium to Critical alerts will generate an Incident, and if the host generating it is always the same, the alerts should be added to the same Incident.

 

If this post answers your question, please mark it as the solution.

JM

Hello Jmazzeo,

 

When I change the severity to Medium, it creates an incident and merges all the alerts as expected 🙂

However, I’m facing another issue now. An alert is being generated even when only 4 KB is uploaded.

I would like the system to trigger an alert only when more than 10 MB is uploaded. Could you help me adjust this setting?

 

Thank you!

L1 Bithead

Thank you for your help! I found a solution.

 

preset = network_story
| filter dst_action_external_hostname ="*.onedrive.com" or dst_action_external_hostname = "*.onedrive.live.com"
| filter action_total_upload > 10485760
  • 1 accepted solution
  • 424 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!