12-13-2023 05:37 AM
Hi Team,
We are receiving more alerts 'Large Upload (Generic)' generated by XDR Analytics from Microsoft Teams (ms-teams.exe) and i checked the IPs - Microsoft Corporation (ISP) and Domain -microsoft.com.
I need an answer to the following questions:
1. How the alerts are getting triggered
2. How to Reduce it /mitigation
3. How to investigate it
Pls help on it.....
Cortex XDR #Large Upload (Generic) #alerts
12-19-2023 09:44 AM
confirm whether the destination IP is Microsoft Teams or not...
see this from the IP in the XDR Alert information and compare with the link "Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Learn"
Then open a case with the support team....
Hope this will be helpful!
12-13-2023 05:53 AM
Hi @Vijisaga
Thank you for reaching out to Palo Alto Networks Live community.
Below are the answers to your questions:
1. How the alerts are getting triggered?
The endpoint transferred large amounts of data to an external site using a different protocol from HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.) Cortex XDR Analytics assumes that data transfers out of your network are ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low. For the same reason, Cortex XDR Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time. An attacker may be exfiltrating data directly to the internet.
2. How to Reduce it /mitigation?
You can created the Alert Exclusion or Automation rule for the same.
>> Alert Exclusion:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Alert-Exclu...
>> Automation rule:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Automation-...
3. How to investigate it?
Investigative actions:
>> Check if the traffic is related to SSH activity, it can trigger this alert. It is possible that someone on your network is legitimately engaged in SSH activity.
>> Check if the traffic is to/from a misconfigured network.
>> Check if the traffic is to a new external service or server that has recently been adopted for use by an organization in your enterprise.
>> Identify the process/user performing the data transfer to determine if the transfer is sanctioned.
Please find the below helpful document for Cortex XDR Analytics Alert Reference:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/Required-Data-Source...
Please find the below helpful document for Cortex XDR Analytics Alert Reference/Large-Upload-Generic:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/Large-Upload-Generic
Hope this will be helpful!
Please mark the response as "Accept as Solution" if it answers your query.
12-13-2023 07:46 AM
Thanks for your response! @dbahuguna
why most of the alerts are triggered from Microsoft Teams (ms-teams.exe)?
12-18-2023 10:20 AM
I have the same problem. But in my case, I opened a case with the support team...
The answer was, every call with screen sharing, document sharing, etc... XDR will create an alert.
The only chance of this not appear is accept the risk and create a pre process rule.
Please mark the response as "Accept as Solution" if it answers your query.
12-19-2023 04:31 AM
Thanks for the response @tlmarques
Some of the users confirmed that they haven't shared any data through ms-teams. so, in this case, what action needs to be performed? @tlmarques @dbahuguna
12-19-2023 09:19 AM
in my case, when users start a meeting and sharing screen, the alert appear. but
12-19-2023 09:44 AM
confirm whether the destination IP is Microsoft Teams or not...
see this from the IP in the XDR Alert information and compare with the link "Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Learn"
Then open a case with the support team....
Hope this will be helpful!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
