- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-27-2024 05:31 AM - edited 09-27-2024 07:51 AM
Hello,
I have encountered an issue where some users in my organization are uploading large files (around 100 GB) to their personal OneDrive accounts using public Microsoft domains. Currently, Cortex is allowing these actions without signaling them.
To address this, I created my own BIOC rules, which are functioning well :
preset = network_story | filter dst_action_external_hostname in ("*.onedrive.com", "*.onedrive.live.com") and action_total_upload > 1000000 |
However, I'm facing two challenges:
I would appreciate your guidance on resolving these issues.
Thank you!
10-01-2024 03:07 AM - edited 10-18-2024 07:31 AM
Thank you for your help! I found a solution.
preset = network_story | filter dst_action_external_hostname in ("*.onedrive.com", "*.onedrive.live.com") | filter action_total_upload > 10485760 |
09-30-2024 07:45 AM
Hi @Melvin_Machado, thanks for reaching us using the Live Community.
What is the severity configured to this custom BIOC rule? Only Medium to Critical alerts will generate an Incident, and if the host generating it is always the same, the alerts should be added to the same Incident.
If this post answers your question, please mark it as the solution.
10-01-2024 01:36 AM
Hello Jmazzeo,
When I change the severity to Medium, it creates an incident and merges all the alerts as expected 🙂
However, I’m facing another issue now. An alert is being generated even when only 4 KB is uploaded.
I would like the system to trigger an alert only when more than 10 MB is uploaded. Could you help me adjust this setting?
Thank you!
10-01-2024 03:07 AM - edited 10-18-2024 07:31 AM
Thank you for your help! I found a solution.
preset = network_story | filter dst_action_external_hostname in ("*.onedrive.com", "*.onedrive.live.com") | filter action_total_upload > 10485760 |
11-29-2024 07:25 AM
| filter action_total_upload > 80000000 // bit (10 Mo)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!