Forum Discussion
Sentinel Query
Hi all, Im hoping that there is someone in here who can help me write a query to display Outbound Transfer of over 20MB Iv searched the Github community but cannot find anything on there like...
Maybe this will help? The columns RequestURL and SourceUserName have some outbound context but not always (in my limited data set at least)
let maxBytes = 20971520; //20MB - from Bytes (B) Binary CommonSecurityLog | where DeviceVendor == "Cisco" | where DeviceProduct == "Firepower" | extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions) | where toreal(bytesOut) > maxBytes | extend MBytesOut = toreal(bytesOut)/1024/1024 | summarize by MBytesOut, RequestURL, SourceUserName , DestinationIP, DestinationPort
Using cisco firepower for a FW
let maxBytes = 20000000; //20MB CommonSecurityLog | where DeviceVendor == "Cisco" | where DeviceProduct == "Firepower" | extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions) | where toreal(bytesOut) > maxBytes- Thats awesome, thank you
How would I add "Outbound" to this? I want to know when users are uploading large amounts of data outside of the company network. For example, to WeTransfer, or GoogleDrive.Maybe this will help? The columns RequestURL and SourceUserName have some outbound context but not always (in my limited data set at least)
let maxBytes = 20971520; //20MB - from Bytes (B) Binary CommonSecurityLog | where DeviceVendor == "Cisco" | where DeviceProduct == "Firepower" | extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions) | where toreal(bytesOut) > maxBytes | extend MBytesOut = toreal(bytesOut)/1024/1024 | summarize by MBytesOut, RequestURL, SourceUserName , DestinationIP, DestinationPort
