Large Upload(Generic) Microsoft Teams alerts

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Large Upload(Generic) Microsoft Teams alerts

L1 Bithead

Hi Team,

We are receiving more alerts 'Large Upload (Generic)' generated by XDR Analytics from Microsoft Teams (ms-teams.exe) and i checked the IPs - Microsoft Corporation (ISP) and Domain -microsoft.com. 

 

I need an answer to the following questions:

1. How the alerts are getting triggered

2. How to Reduce it /mitigation

3. How to investigate it

 

Pls help on it.....

Cortex XDR   #Large Upload (Generic)    #alerts 

1 accepted solution

Accepted Solutions

confirm whether the destination IP is Microsoft Teams or not...
see this from the IP in the XDR Alert information and compare with the link "Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Learn"

Then open a case with the support team....

Hope this will be helpful!

Best regards
Tiago Marques

View solution in original post

6 REPLIES 6

L2 Linker

Hi @Vijisaga 

 

Thank you for reaching out to Palo Alto Networks Live community.

 

Below are the answers to your questions:

1. How the alerts are getting triggered?

The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.) Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low. For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time. An attacker may be exfiltrating data directly to the internet.

 

2. How to Reduce it /mitigation?

You can created the Alert Exclusion or Automation rule for the same.
>> Alert Exclusion:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Alert-Exclu...

>> Automation rule:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Automation-...

 

3. How to investigate it?

Investigative actions:
>> Check if the traffic is related to SSH activity, it can trigger this alert. It is possible that someone on your network is legitimately engaged in SSH activity.
>> Check if the traffic is to/from a misconfigured network.
>> Check if the traffic is to a new external service or server that has recently been adopted for use by an organization in your enterprise.
>> Identify the process/user performing the data transfer to determine if the transfer is sanctioned.

 

Please find the below helpful document for Cortex XDR Analytics Alert Reference:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/Required-Data-Source...

 

Please find the below helpful document for Cortex XDR Analytics Alert Reference/Large-Upload-Generic:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/Large-Upload-Generic

 

Hope this will be helpful!

 

Please mark the response as "Accept as Solution" if it answers your query.

L1 Bithead

Thanks for your response! @dbahuguna 

why most of the alerts are triggered from Microsoft Teams (ms-teams.exe)?

 

I have the same problem. But in my case, I opened a case with the support team...
The answer was, every call with screen sharing, document sharing, etc... XDR will create an alert.

The only chance of this not appear is accept the risk and create a pre process rule.

Please mark the response as "Accept as Solution" if it answers your query.

Best regards
Tiago Marques

L1 Bithead

Thanks for the response @tlmarques

Some of the users confirmed that they haven't shared any data through ms-teams. so, in this case, what action needs to be performed? @tlmarques @dbahuguna 

in my case, when users start a meeting and sharing screen, the alert appear. but 

Best regards
Tiago Marques

confirm whether the destination IP is Microsoft Teams or not...
see this from the IP in the XDR Alert information and compare with the link "Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Learn"

Then open a case with the support team....

Hope this will be helpful!

Best regards
Tiago Marques
  • 1 accepted solution
  • 1986 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!