11-23-2023 04:11 AM
Hey,
I need your help.
We are receiving alerts "XDR Incident 945 - 'Large upload (generic)' generated by #XDR Analytics detected...
Basically, this appears when the user makes a call, shares documents, or shares their screen (using Microsoft Teams).
In the #XSOAR event I can see that the processname is ms-teams.exe and the destination ip is from Microsoft Azure networks
I know this is related to screen sharing because it has happened to my user/laptop.
I tried to create a pre-process rule to do autoclose....in the test... pre-process it works, in practice it doesn't.
Does this situation happen to everyone?
any suggestion??
12-29-2023 01:14 AM
Hi @tlmarques ,
Normally, preprocessing script should discard those incidents if configured properly. I need to see your script and the raw data coming from the incident to be able to help. If you are still facing the issue, please try to provide relevant part from incident data with demisto.incident() and your preprocessing script.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
