Large Upload (HTTPS)
The Cortex XDR – Analytics Large Upload (HTTPS) alert indicates that an endpoint is transferring an excessive amount of data over HTTP/S to an external site.
An endpoint is transferring an excessive amount of data to an external site over HTTP/S. The destination is not a popular upload site for endpoints on your network, and the endpoint performing the upload has not previously downloaded a large amount of data from the site. The upload is considered excessive based on comparison to baseline measurements of HTTP/S data transfers on your network.
Transfer data she has stolen from your network to a location that is convenient and useful to her.
- Check if this alert has been falsely triggered by the use of DNS load balancers. If an endpoint routinely uploads data to a site that makes use of load balancers, the transfer might ordinarily be split into multiple sessions and across multiple subdomains, which can cause the baseline measurement to be incorrect. In that situation, a routine upload that randomly places the bulk of the data in a single session to a single subdomain can look excessive to the Cortex XDR – Analytics detector.
- Check if the device performing the data transfer is a mobile phone performing a backup. Cortex XDR – Analytics will not always measure the baseline properly for mobile devices, especially if the backups are performed infrequently and contain a great deal of data. If the data transfer is a mobile device running a backup, check to ensure that only appropriate data is included in the backup.
- Identify the process/user performing the data transfer to determine if the transfer is sanctioned.
Large Upload FTP
Large Upload (FTP) The Cortex XDR – Analytics Large Upload (FTP) alert indicates that a non-FTP server process is transferring an excessive amount of data. Synopsis ...
Large Upload SMTP
Large Upload (SMTP) The Cortex XDR – Analytics Large Upload (SMTP) alert indicates that an endpoint is emailing an excessive amount of data from your network. ...
Large Upload Generic
Large Upload (Generic) The Cortex XDR – Analytics Large Upload (Generic) alert indicates that an endpoint is transferring an excessive amount of data to an external ...
The Cortex XDR – Analytics Analytics Engine
Cortex XDR – Analytics uses a parallel processing data engine to analyze network data in order to determine what is and is not normal network activity. ...
Cortex XDR – Analytics Detectors
Cortex XDR – Analytics detectors are algorithms that examine logs, create baselines, and raise alerts as needed. ...
Cortex XDR – Analytics Data Exfiltration Alerts
Data Exfiltration Alerts Alert Description Large Upload (FTP) Cortex XDR™ – Analytics has detected excessively large data transfers over FTP from a source that is ...
Possible Cortex XDR – Analytics Alerts
All possible Cortex XDR – Analytics alerts grouped by attack category. ...
Cortex XDR – Analytics Host or User Details Page
Cortex XDR – Analytics host or user details provides in-depth information about the alerts seen for a specific user or device. ...
SpamBot Traffic The Cortex XDR – Analytics SpamBot Traffic alert indicates that a non-SMTP server is connecting to an excessive number of external endpoints. Synopsis Detection ...