Large Upload (SMTP)

The Cortex XDR – Analytics Large Upload (SMTP) alert indicates that an endpoint is emailing an excessive amount of data from your network.

Synopsis

1 hour.
7 days.
None. All limit values are predetermined.
1 day.
Traffic logs.
Exfiltration.

Description

An endpoint is emailing an excessive amount of data from your network, and the endpoint performing the transfer is not an internal SMTP server. The amount of data contained in the email exceeds a predetermined limit.

Attacker's Goals

Transfer data they have stolen from your network to a location that is convenient and useful to him.

Investigative Actions

  • Identify the process/user performing the data transfer to determine if the transfer is sanctioned.

Related Documentation