cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Sentinel Query

Jason Skaife
Copper Contributor

‎Jan 07 2022 04:00 AM

‎Jan 07 2022 04:00 AM

Sentinel Query

Hi all,

 

Im hoping that there is someone in here who can help me write a query to display Outbound Transfer of over 20MB

 

Iv searched the Github community but cannot find anything on there like this query.

 

Thanks

2,310 Views
0 Likes
7 Replies
Reply
7 Replies
Jason Skaife

‎Jan 07 2022 04:34 AM

‎Jan 07 2022 04:34 AM

RE: Sentinel Query

I found this which looks like its possible, but no query attached https://www.managedsentinel.com/ms-a042
0 Likes
Reply
Jason Skaife

‎Jan 07 2022 05:39 AM

‎Jan 07 2022 05:39 AM

RE: Sentinel Query

Using cisco firepower for a FW
0 Likes
Reply
Clive_Watson

‎Jan 07 2022 06:26 AM

‎Jan 07 2022 06:26 AM

RE: Sentinel Query

@Jason Skaife 

 

let maxBytes = 20000000; //20MB
CommonSecurityLog
| where DeviceVendor == "Cisco"
| where DeviceProduct == "Firepower"
| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)
| where toreal(bytesOut) > maxBytes
0 Likes
Reply
Jason Skaife

‎Jan 07 2022 06:42 AM

‎Jan 07 2022 06:42 AM

RE: Sentinel Query

Thats awesome, thank you

How would I add "Outbound" to this? I want to know when users are uploading large amounts of data outside of the company network. For example, to WeTransfer, or GoogleDrive.
0 Likes
Reply
best response confirmed by Jason Skaife (Copper Contributor)
Clive_Watson

‎Jan 07 2022 07:01 AM - edited ‎Jan 07 2022 07:13 AM

‎Jan 07 2022 07:01 AM - edited ‎Jan 07 2022 07:13 AM

Solution

RE: Sentinel Query

@Jason Skaife 

Maybe this will help?  The columns RequestURL and SourceUserName have some outbound context but not always (in my limited data set at least)

 

 

let maxBytes = 20971520; //20MB - from Bytes (B) Binary
CommonSecurityLog
| where DeviceVendor == "Cisco"
| where DeviceProduct == "Firepower"
| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)
| where toreal(bytesOut) > maxBytes
| extend MBytesOut = toreal(bytesOut)/1024/1024
| summarize by MBytesOut, RequestURL, SourceUserName , DestinationIP, DestinationPort

 

 

 

0 Likes
Reply
Jason Skaife

‎Jan 07 2022 08:25 AM

‎Jan 07 2022 08:25 AM

RE: Sentinel Query

Its strange,

Im seeing traffic and low level data being sent between my machine and WeTransfer but its not showing any files uploaded. Specifcially a 129MB file I uploaded. Also a colleague uploaded a file to iCloud and its not showing this and I also uploaded a file of 150MB to Google Drive. All the results it is displaying are destination IP's belonging to Microsoft or Amazon
0 Likes
Reply
Clive_Watson

‎Jan 07 2022 08:47 AM

‎Jan 07 2022 08:47 AM

RE: Sentinel Query

Maybe go back to simple query to look for your file?

CommonSecurityLog
| search " < insert file name here >

If not maybe these are being filtered out in your config?
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Jason Skaife (Copper Contributor)
Clive_Watson

‎Jan 07 2022 07:01 AM - edited ‎Jan 07 2022 07:13 AM

‎Jan 07 2022 07:01 AM - edited ‎Jan 07 2022 07:13 AM

Solution

RE: Sentinel Query

@Jason Skaife 

Maybe this will help?  The columns RequestURL and SourceUserName have some outbound context but not always (in my limited data set at least)

 

 

let maxBytes = 20971520; //20MB - from Bytes (B) Binary
CommonSecurityLog
| where DeviceVendor == "Cisco"
| where DeviceProduct == "Firepower"
| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)
| where toreal(bytesOut) > maxBytes
| extend MBytesOut = toreal(bytesOut)/1024/1024
| summarize by MBytesOut, RequestURL, SourceUserName , DestinationIP, DestinationPort

 

 

 

View solution in original post

0 Likes
Reply