Data Exfiltration / Large file uploads

cancel
Showing results for 
Search instead for 
Did you mean: 

Data Exfiltration / Large file uploads

L1 Bithead

Hello community,

 

I was wondering if anyone found an efficient query to look for data exfiltration/large file uploads?

 

I'm looking more from a threat hunting perspective, where I would want to trace one or multiple file being uploaded to a remote destination.

 

Right now the only way I've found is to correlate file read actions in the same timeframe of a network session to a remote site. But this isn't 100% reliable way and that wouldn't hold in court as evidence since at the end of the day it is just a file read.

 

Anyone has any suggestions?

 

Thank you

 

Luc D.

2 REPLIES 2

L1 Bithead

Please check out

1. XQL Query library: you can search for "upload" to see all related queries like Large FTP Sessions, Curl uploading more than 1MB etc

 

2. XDR Analytics currently do large uploads computation if there is applicable data. It triggers when endpoint transferred an excessive amount of data to an unpopular destination.

 

Please check-out:

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-...

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-...

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-...

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-...

You can get more interesting data if you have enhanced application logging from NGFW. Sample fields (like session upload) from the session detail is attached.

Hi Malalade,

 

Thank you for the info, but this doesn't really answer my question which is how can you identify what data was uploaded.

 

Let me know if you can think of anything. Right now I go with file reads from the process generating the large upload, but this is far from a 100% science, was wondering if others figured out other more efficient ways.

 

Thanks

 

Luc

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!