Creating BIOC Rule for Large FTP Sessions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Creating BIOC Rule for Large FTP Sessions

L0 Member

Hi Everyone,

I'm new to Cortex XDR and looking to enhance our network security alerts. I want to create a BIOC rule that triggers an alert whenever a data transfer larger than 100MB occurs between two devices (Local IP to Remote IP). This will help us monitor potentially malicious data transfers or data exfiltration.

While we receive XDR Analytic Alerts for certain applications like Microsoft Teams uploading large amounts of data to remote servers, I'd like to implement a similar alerting mechanism for FTP/SFTP or any file transfer protocol.

Currently, I'm using a query example from the Query Library (attached), but it's not providing results for FTP. It works when I replace "FTP" with "SMB" or other protocols.

Is there something I'm missing, or do I need to set up the FTP Collector apllet on the BrokerVM to achieve this goal?

Your insights and guidance would be greatly appreciated.

Thanks in advance!

Just to clarify: I want an alert when data uploaded/downloaded is more than a certain size displaying Local and Remote IP table.

1 accepted solution

Accepted Solutions

L3 Networker

Hi GoatBloke, 

 

There is an existing Analytics alert for Large Upload (FTP) where our analytics engine identifies anomalous upload activity outside of the activity baseline established for the endpoint. 

 

The Cortex XDR - Analytics alerts are detect-only and are heavily dependent upon receiving logs from network devices that would have been involved in transmitting the exfiltrated files. Please ensure that you have the appropriate license and onboarded NGFW logs to your tenant. Ingesting logs from Next-Generation Firewall requires a Cortex XDR Pro per GB license.

 

In regard to the XQL query, please note not all BIOCs can be applied as Custom Prevention Rules. Reference Create a BIOC Rule • Cortex XDR Pro Administrator Guide

The following describes the event_type values for which you can create a BIOC rule.

  • FILE—Events relating to file create, write, read, and rename according to the file name and path.
  • INJECTION—Events related to process injections.
  • LOAD_IMAGE—Events relating to module IDs of processes.
  • NETWORK—Events relating to incoming and outgoing network, filed IP addresses, port, host name, and protocol.
  • PROCESS—Events relating to execution and injection of a process name, hash, path, and CMD.
  • REGISTRY—Events relating to registry write, rename and delete according to registry path.
  • STORY—Events relating to a combination of firewall and endpoint logs over the network.
  • EVENT_LOG—Events relating to Windows event logs and Linux system authentication logs.

Also, here is a LIVEcommunity walkthrough video on how to create custom prevention rules via BIOC’s: https://live.paloaltonetworks.com/t5/cortex-xdr-videos/custom-prevention-rules/ta-p/347271

 

If you found this response helpful, please Like and select Accept as Solution. 

 

Thank you!

 

If you found this answer helpful, please select Accept as Solution.

View solution in original post

1 REPLY 1

L3 Networker

Hi GoatBloke, 

 

There is an existing Analytics alert for Large Upload (FTP) where our analytics engine identifies anomalous upload activity outside of the activity baseline established for the endpoint. 

 

The Cortex XDR - Analytics alerts are detect-only and are heavily dependent upon receiving logs from network devices that would have been involved in transmitting the exfiltrated files. Please ensure that you have the appropriate license and onboarded NGFW logs to your tenant. Ingesting logs from Next-Generation Firewall requires a Cortex XDR Pro per GB license.

 

In regard to the XQL query, please note not all BIOCs can be applied as Custom Prevention Rules. Reference Create a BIOC Rule • Cortex XDR Pro Administrator Guide

The following describes the event_type values for which you can create a BIOC rule.

  • FILE—Events relating to file create, write, read, and rename according to the file name and path.
  • INJECTION—Events related to process injections.
  • LOAD_IMAGE—Events relating to module IDs of processes.
  • NETWORK—Events relating to incoming and outgoing network, filed IP addresses, port, host name, and protocol.
  • PROCESS—Events relating to execution and injection of a process name, hash, path, and CMD.
  • REGISTRY—Events relating to registry write, rename and delete according to registry path.
  • STORY—Events relating to a combination of firewall and endpoint logs over the network.
  • EVENT_LOG—Events relating to Windows event logs and Linux system authentication logs.

Also, here is a LIVEcommunity walkthrough video on how to create custom prevention rules via BIOC’s: https://live.paloaltonetworks.com/t5/cortex-xdr-videos/custom-prevention-rules/ta-p/347271

 

If you found this response helpful, please Like and select Accept as Solution. 

 

Thank you!

 

If you found this answer helpful, please select Accept as Solution.
  • 1 accepted solution
  • 1667 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!