- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-05-2023 03:41 AM - edited 10-05-2023 03:52 AM
Hi Everyone,
I'm new to Cortex XDR and looking to enhance our network security alerts. I want to create a BIOC rule that triggers an alert whenever a data transfer larger than 100MB occurs between two devices (Local IP to Remote IP). This will help us monitor potentially malicious data transfers or data exfiltration.
While we receive XDR Analytic Alerts for certain applications like Microsoft Teams uploading large amounts of data to remote servers, I'd like to implement a similar alerting mechanism for FTP/SFTP or any file transfer protocol.
Currently, I'm using a query example from the Query Library (attached), but it's not providing results for FTP. It works when I replace "FTP" with "SMB" or other protocols.
Is there something I'm missing, or do I need to set up the FTP Collector apllet on the BrokerVM to achieve this goal?
Your insights and guidance would be greatly appreciated.
Thanks in advance!
Just to clarify: I want an alert when data uploaded/downloaded is more than a certain size displaying Local and Remote IP table.
10-05-2023 01:27 PM
Hi GoatBloke,
There is an existing Analytics alert for Large Upload (FTP) where our analytics engine identifies anomalous upload activity outside of the activity baseline established for the endpoint.
The Cortex XDR - Analytics alerts are detect-only and are heavily dependent upon receiving logs from network devices that would have been involved in transmitting the exfiltrated files. Please ensure that you have the appropriate license and onboarded NGFW logs to your tenant. Ingesting logs from Next-Generation Firewall requires a Cortex XDR Pro per GB license.
In regard to the XQL query, please note not all BIOCs can be applied as Custom Prevention Rules. Reference Create a BIOC Rule • Cortex XDR Pro Administrator Guide
The following describes the event_type values for which you can create a BIOC rule.
Also, here is a LIVEcommunity walkthrough video on how to create custom prevention rules via BIOC’s: https://live.paloaltonetworks.com/t5/cortex-xdr-videos/custom-prevention-rules/ta-p/347271
If you found this response helpful, please Like and select Accept as Solution.
Thank you!
10-05-2023 01:27 PM
Hi GoatBloke,
There is an existing Analytics alert for Large Upload (FTP) where our analytics engine identifies anomalous upload activity outside of the activity baseline established for the endpoint.
The Cortex XDR - Analytics alerts are detect-only and are heavily dependent upon receiving logs from network devices that would have been involved in transmitting the exfiltrated files. Please ensure that you have the appropriate license and onboarded NGFW logs to your tenant. Ingesting logs from Next-Generation Firewall requires a Cortex XDR Pro per GB license.
In regard to the XQL query, please note not all BIOCs can be applied as Custom Prevention Rules. Reference Create a BIOC Rule • Cortex XDR Pro Administrator Guide
The following describes the event_type values for which you can create a BIOC rule.
Also, here is a LIVEcommunity walkthrough video on how to create custom prevention rules via BIOC’s: https://live.paloaltonetworks.com/t5/cortex-xdr-videos/custom-prevention-rules/ta-p/347271
If you found this response helpful, please Like and select Accept as Solution.
Thank you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!