An entity or device which
is not an FTP server is transferring an excessively large amounts
of data to a single destination. The data limit used to trigger
this alert is predetermined, and is not computed from baseline activity
seen on your network.
Transfer data he has
stolen from your network to a location that is convenient and useful
the source is not an FTP server. If Cortex XDR Analytics
has failed to identify the entity as a valid FTP server, this alert
is likely to be a false positive.
Identify the entity performing the data transfer to determine
if the transfer is sanctioned.
Use Pathfinder to interrogate the endpoint for suspicious
artifacts that are using endpoint processes or loaded modules.