Forum Discussion

Jason Skaife's avatar
Jason Skaife
Copper Contributor
Jan 07, 2022

Sentinel Query

Hi all,   Im hoping that there is someone in here who can help me write a query to display Outbound Transfer of over 20MB   Iv searched the Github community but cannot find anything on there like...
  • Clive_Watson's avatar
    Clive_Watson
    Jan 07, 2022

    Jason Skaife 

    Maybe this will help?  The columns RequestURL and SourceUserName have some outbound context but not always (in my limited data set at least)

     

     

    let maxBytes = 20971520; //20MB - from Bytes (B) Binary
CommonSecurityLog
| where DeviceVendor == "Cisco"
| where DeviceProduct == "Firepower"
| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)
| where toreal(bytesOut) > maxBytes
| extend MBytesOut = toreal(bytesOut)/1024/1024
| summarize by MBytesOut, RequestURL, SourceUserName , DestinationIP, DestinationPort

     

     

     

Jason Skaife's avatar
Jason Skaife
Copper Contributor
Thats awesome, thank you

How would I add "Outbound" to this? I want to know when users are uploading large amounts of data outside of the company network. For example, to WeTransfer, or GoogleDrive.
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Jan 07, 2022

Jason Skaife 

Maybe this will help?  The columns RequestURL and SourceUserName have some outbound context but not always (in my limited data set at least)

 

 

let maxBytes = 20971520; //20MB - from Bytes (B) Binary
CommonSecurityLog
| where DeviceVendor == "Cisco"
| where DeviceProduct == "Firepower"
| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)
| where toreal(bytesOut) > maxBytes
| extend MBytesOut = toreal(bytesOut)/1024/1024
| summarize by MBytesOut, RequestURL, SourceUserName , DestinationIP, DestinationPort

 

 

 

  • Jason Skaife's avatar
    Jason Skaife
    Copper Contributor
    Jan 07, 2022
    Its strange,

    Im seeing traffic and low level data being sent between my machine and WeTransfer but its not showing any files uploaded. Specifcially a 129MB file I uploaded. Also a colleague uploaded a file to iCloud and its not showing this and I also uploaded a file of 150MB to Google Drive. All the results it is displaying are destination IP's belonging to Microsoft or Amazon
    • Clive_Watson's avatar
      Clive_Watson
      Bronze Contributor
      Jan 07, 2022
      Maybe go back to simple query to look for your file?

      CommonSecurityLog
      | search " < insert file name here >

      If not maybe these are being filtered out in your config?

Resources