Large Upload (HTTPS)

The Cortex XDR – Analytics Large Upload (HTTPS) alert indicates that an endpoint is transferring an excessive amount of data over HTTP/S to an external site.

Synopsis

1 hour.
15 days.
2 weeks.
1 day.
Traffic logs.
Exfiltration.

Description

An endpoint is transferring an excessive amount of data to an external site over HTTP/S. The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site. The upload is considered excessive based on comparison to baseline measurements of HTTP/S data transfers on your network.

Attacker's Goals

Transfer data she has stolen from your network to a location that is convenient and useful to her.

Investigative Actions

  • Check if this alert has been falsely triggered by the use of DNS load balancers. If an endpoint routinely uploads data to a site that makes use of load balancers, the transfer might ordinarily be split into multiple sessions and across multiple subdomains, which can cause the baseline measurement to be incorrect. In that situation, a routine upload that randomly places the bulk of the data in a single session to a single subdomain can look excessive to the Cortex XDR – Analytics detector.
  • Check if the device performing the data transfer is a mobile phone performing a backup. Cortex XDR – Analytics will not always measure the baseline properly for mobile devices, especially if the backups are performed infrequently and contain a great deal of data. If the data transfer is a mobile device running a backup, check to ensure that only appropriate data is included in the backup.
  • Identify the process/user performing the data transfer to determine if the transfer is sanctioned.

Related Documentation