Large Upload (FTP)

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Day

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Exfiltration Over Alternative Protocol (T1048)

Severity

Low

Description

The endpoint transferred an excessively large amounts of data to a single destination over FTP.
Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.
For that reason, Cortex XDR detected this abnormal behavior of large data upload.
An attacker may be exfiltrating data directly to the internet using this protocol.

Attacker's Goals

Exfiltrate stolen data from the victim network to an attacker's controllable resource.

Investigative actions

  • Verify that the source is not an FTP server. If Cortex XDR Analytics has failed to identify the entity as a valid FTP server, this alert is likely to be a false positive.
  • Identify the entity performing the data transfer to determine if the transfer is sanctioned.
  • Use Pathfinder to interrogate the endpoint for suspicious artifacts that are using endpoint processes or loaded modules.

Variations

Large Upload (FTP)

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Exfiltration Over Alternative Protocol (T1048)

Severity

Informational

Description

The endpoint transferred an excessively large amounts of data to a single destination over FTP.
Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.
For that reason, Cortex XDR detected this abnormal behavior of large data upload.
An attacker may be exfiltrating data directly to the internet using this protocol.

Attacker's Goals

Exfiltrate stolen data from the victim network to an attacker's controllable resource.

Investigative actions

  • Verify that the source is not an FTP server. If Cortex XDR Analytics has failed to identify the entity as a valid FTP server, this alert is likely to be a false positive.
  • Identify the entity performing the data transfer to determine if the transfer is sanctioned.
  • Use Pathfinder to interrogate the endpoint for suspicious artifacts that are using endpoint processes or loaded modules.