Recently we are getting high number of large data upload alerts in Cortex XDR.
The issue is data upload alerts are flagged with domain name stun.l.google.com on port 19302 ,UDP.
Why browsers are connecting to this stun server ?
when queried about it ,known few things about WebRTC , NAT & how STUN is used in peer to peer communicating.
any one received similar kind of alerts ?
Can we ignore & exclude this alerts /
Alerts regarding Large Uploads are of the analytical type in Cortex XDR. When Analytics are enabled for your Cortex XDR agents, the XDR agent will gather EDR data, upload it to the Cortex XDR service and the Corte XDR analytics engine will then start creating profiles (baseline) based on PAN models for each of these machines. If you are now getting alerts for Large Uploads, it could mean that prior to that alert, those endpoints might have been reaching "stun.l.google.com" and uploading data with a very consistent size, but now that size has increased which goes against the analytical profile (baseline), therefore creating an Analytics alerts.
The decision on whether you can ignore and exclude needs to come from your organization. The activity needs to be investigated and the SOC needs to provide its assessment/recommendation on what to do with it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!