Large Upload (FTP)

The Cortex XDR – Analytics Large Upload (FTP) alert indicates that a non-FTP server process is transferring an excessive amount of data.


1 hour.
7 days.
None. All limit values are predetermined.
3 days.
Traffic logs.


An entity or device which is not an FTP server is transferring an excessively large amounts of data to a single destination. The data limit used to trigger this alert is predetermined, and is not computed from baseline activity seen on your network.

Attacker's Goals

Transfer data he has stolen from your network to a location that is convenient and useful to him.

Investigative Actions

  • Verify that the source is not an FTP server. If Cortex XDR – Analytics has failed to identify the entity as a valid FTP server, this alert is likely to be a false positive.
  • Identify the entity performing the data transfer to determine if the transfer is sanctioned.
  • Use Pathfinder to interrogate the endpoint for suspicious artifacts that are using endpoint processes or loaded modules.

Related Documentation