Large Upload (FTP)

Large Upload (FTP)
Analytics alert indicates that a non-FTP server process is transferring an excessive amount of data.


1 hour
7 days
None. All limit values are predetermined.
3 days
Traffic logs
Varies by activity (High, Medium, or Low).


An entity or device which is not an FTP server is transferring an excessively large amounts of data to a single destination. The data limit used to trigger this alert is predetermined, and is not computed from baseline activity seen on your network.

Attacker's Goals

Transfer data he has stolen from your network to a location that is convenient and useful to him.

Investigative Actions

  • Verify that the source is not an FTP server. If Cortex XDR Analytics has failed to identify the entity as a valid FTP server, this alert is likely to be a false positive.
  • Identify the entity performing the data transfer to determine if the transfer is sanctioned.
  • Use Pathfinder to interrogate the endpoint for suspicious artifacts that are using endpoint processes or loaded modules.

Recommended For You