Large Upload Alert
The playbook investigates Cortex XDR alerts involving large upload alerts. The playbook consists of the following procedures: - Searches for similar previous alerts that were closed as false positives. - Enrichment and investigation of the initiator and destination hostname and IP address. - Enrichment and investigation of the initiator user, process, file, or command if it exists. - Detection of related indicators and analysis of the relationship between the detected indicators. - Utilize the detected indicators to conduct threat hunting. - Blocks detected malicious indicators. - Endpoint isolation. This playbook supports the following Cortex XDR alert names: - Large Upload (Generic) - Large Upload (SMTP) - Large Upload (FTP) - Large Upload (HTTPS)
Core · 53 tasks · 9 inputs · 0 outputs
Inputs
InternalIPRanges— A list of IP ranges to check the IP against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).FurtherInvestigation— Determines whether an alert should be further investigated if similar previous false positive alerts were found. Possible values:True/False. Default: False.AutoBlockIndicators— Determine whether the given indicators be automatically blocked, or if the user should be given the option to choose. Possible values:True/False. Default: True. If set to True - no prompt will appear, and all provided indicators will be blocked automatically. If set to False - the user will be prompted to select which indicators to block.BlockIndicators_UserVerification— Determine whether the blocking of any indicator requires the verification of the user. Possible values:True/False. Default: False.EarlyContainment— Whether early containment should be allowed when the IP address is known to be malicious. Possible values:True/False. Default: True.AutoIsolateEndpoint— Whether to isolate the initiating endpoint automatically if the investigation verdict is malicious. Possible values:True/False. Default: False.Transferred_Data _Threshold— Specify the uploaded data threshold volume (in MB) from which large upload alerts should be investigated. By setting a threshold, you will be able to determine which large upload alerts require investigation. Default value: 150 (MB).FWApps_Processes_Whitlist— A list of known and authorized FW application IDs and processes used in the organization.Alert_ID— The Cortex XDR alert ID.
Commands used
core-get-cloud-original-alerts
core-isolate-endpoint
setAlert
setAlertStatus