Rules: Large File Upload
Observes for file uploads above 50MB in size. It is recommended to tune this rule to desired file size threshold for your organization as well as to exclude users/systems typically sending large outbound files.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Exfiltration |
| Apply Risk to Entities | srcDevice_hostname, srcDevice_ip, user_username |
| Signal Name | Large File Upload |
| Summary Expression | File of size: {{bytesOut}} uploaded from IP: {{srcDevice_ip}} |
| Score/Severity | Static: 1 |
| Enabled by Default | False |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0010, _mitreAttackTechnique:T1567, _mitreAttackTechnique:T1567.001, _mitreAttackTechnique:T1567.002 |
- Bro - Bro
- Cisco Systems - ASA
- Dell - Firewall
- Fortinet - Fortigate
- Microsoft - Azure
- Netskope - Security Cloud
- Palo Alto Networks - Next Generation Firewall
- Sophos - UTM 9
- Zscaler - Firewall
| Origin | Field |
|---|---|
| Normalized Schema | bytesOut |
| Normalized Schema | dstDevice_ip_isInternal |
| Normalized Schema | listMatches |
| Normalized Schema | objectType |
| Normalized Schema | srcDevice_hostname |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | user_username |