Forum Discussion
Sentinel Query
Hi all,
Im hoping that there is someone in here who can help me write a query to display Outbound Transfer of over 20MB
Iv searched the Github community but cannot find anything on there like this query.
Thanks
Maybe this will help? The columns RequestURL and SourceUserName have some outbound context but not always (in my limited data set at least)
let maxBytes = 20971520; //20MB - from Bytes (B) Binary CommonSecurityLog | where DeviceVendor == "Cisco" | where DeviceProduct == "Firepower" | extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions) | where toreal(bytesOut) > maxBytes | extend MBytesOut = toreal(bytesOut)/1024/1024 | summarize by MBytesOut, RequestURL, SourceUserName , DestinationIP, DestinationPort
- I found this which looks like its possible, but no query attached https://www.managedsentinel.com/ms-a042
- Using cisco firepower for a FW
let maxBytes = 20000000; //20MB CommonSecurityLog | where DeviceVendor == "Cisco" | where DeviceProduct == "Firepower" | extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions) | where toreal(bytesOut) > maxBytes- Thats awesome, thank you
How would I add "Outbound" to this? I want to know when users are uploading large amounts of data outside of the company network. For example, to WeTransfer, or GoogleDrive.
