Large Upload (Generic)
The Cortex XDR – Analytics Large Upload (Generic) alert indicates that an endpoint is transferring an excessive amount of data to an external site.
Traffic logs or Traps endpoint data.
An endpoint is transferring an excessive amount of data to an external site using a protocol other than HTTP/s, FTP, or SMTP. (A specific detector is used for each of those protocols.) Cortex XDR – Analytics assumes data transfers out of your network is ordinarily performed using one of those three services, so it expects that data transfers over all other ports to be low. For the same reason, Cortex XDR – Analytics also assumes endpoint traffic towards a specific destination should be about the same over long periods of time.
Transfer data he has stolen from your network to a location that is convenient and useful to him.
- Check if the traffic is caused by SSH as activity over that protocol can trigger this alert. It is possible that someone on your network is legitimately engaged in SSH activity.
- Check if the traffic is to/from a misconfigured network.
- Check if the traffic is to a new external service or server that has recently been adopted for use by an organization in your enterprise.
- Identify the process/user performing the data transfer to determine if the transfer is sanctioned.
Large Upload HTTPs
Large Upload (HTTPS) The Cortex XDR – Analytics Large Upload (HTTPS) alert indicates that an endpoint is transferring an excessive amount of data over HTTP/S to ...
Large Upload FTP
Large Upload (FTP) The Cortex XDR – Analytics Large Upload (FTP) alert indicates that a non-FTP server process is transferring an excessive amount of data. Synopsis ...
Large Upload SMTP
Large Upload (SMTP) The Cortex XDR – Analytics Large Upload (SMTP) alert indicates that an endpoint is emailing an excessive amount of data from your network. ...
Cortex XDR – Analytics Data Exfiltration Alerts
Data Exfiltration Alerts Alert Description Large Upload (FTP) Cortex XDR™ – Analytics has detected excessively large data transfers over FTP from a source that is ...
SpamBot Traffic The Cortex XDR – Analytics SpamBot Traffic alert indicates that a non-SMTP server is connecting to an excessive number of external endpoints. Synopsis Detection ...
Possible Cortex XDR – Analytics Alerts
All possible Cortex XDR – Analytics alerts grouped by attack category. ...
The Cortex XDR – Analytics Analytics Engine
Cortex XDR – Analytics uses a parallel processing data engine to analyze network data in order to determine what is and is not normal network activity. ...
New Administrative Behavior
New Administrative Behavior The Cortex XDR – Analytics New Administrative Behavior alert indicates that an endpoint is performing administrative network activities, but the endpoint historically does ...
Random Looking DNS
Random Looking DNS The Cortex XDR – Analytics Random Looking DNS alert indicates an endpoint is performing DNS lookups to a large number of unique, apparently ...