Forum Discussion
Solved
Sentinel Query
Hi all, Im hoping that there is someone in here who can help me write a query to display Outbound Transfer of over 20MB Iv searched the Github community but cannot find anything on there like...
Maybe this will help? The columns RequestURL and SourceUserName have some outbound context but not always (in my limited data set at least)
let maxBytes = 20971520; //20MB - from Bytes (B) Binary CommonSecurityLog | where DeviceVendor == "Cisco" | where DeviceProduct == "Firepower" | extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions) | where toreal(bytesOut) > maxBytes | extend MBytesOut = toreal(bytesOut)/1024/1024 | summarize by MBytesOut, RequestURL, SourceUserName , DestinationIP, DestinationPort
Its strange,
Im seeing traffic and low level data being sent between my machine and WeTransfer but its not showing any files uploaded. Specifcially a 129MB file I uploaded. Also a colleague uploaded a file to iCloud and its not showing this and I also uploaded a file of 150MB to Google Drive. All the results it is displaying are destination IP's belonging to Microsoft or Amazon
Im seeing traffic and low level data being sent between my machine and WeTransfer but its not showing any files uploaded. Specifcially a 129MB file I uploaded. Also a colleague uploaded a file to iCloud and its not showing this and I also uploaded a file of 150MB to Google Drive. All the results it is displaying are destination IP's belonging to Microsoft or Amazon
Maybe go back to simple query to look for your file?
CommonSecurityLog
| search " < insert file name here >
If not maybe these are being filtered out in your config?
CommonSecurityLog
| search " < insert file name here >
If not maybe these are being filtered out in your config?