Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Day |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
The endpoint transferred an excessively large amounts of data to a single destination over FTP.
Cortex XDR Analytics assumes endpoint traffic towards a specific destination should be about the same over long periods of time.
For that reason, Cortex XDR detected this abnormal behavior of large data upload.
An attacker may be exfiltrating data directly to the internet using this protocol.
Attacker's Goals
Exfiltrate stolen data from the victim network to an attacker's controllable resource.
Investigative actions
- Verify that the source is not an FTP server. If Cortex XDR Analytics has failed to identify the entity as a valid FTP server, this alert is likely to be a false positive.
- Identify the entity performing the data transfer to determine if the transfer is sanctioned.
- Use Pathfinder to interrogate the endpoint for suspicious artifacts that are using endpoint processes or loaded modules.