Forum Discussion

Copper Contributor

Jan 07, 2022

Sentinel Query

Hi all, Im hoping that there is someone in here who can help me write a query to display Outbound Transfer of over 20MB Iv searched the Github community but cannot find anything on there like...

Clive_Watson

Jan 07, 2022

Jason Skaife

Maybe this will help? The columns RequestURL and SourceUserName have some outbound context but not always (in my limited data set at least)

let maxBytes = 20971520; //20MB - from Bytes (B) Binary
CommonSecurityLog
| where DeviceVendor == "Cisco"
| where DeviceProduct == "Firepower"
| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)
| where toreal(bytesOut) > maxBytes
| extend MBytesOut = toreal(bytesOut)/1024/1024
| summarize by MBytesOut, RequestURL, SourceUserName , DestinationIP, DestinationPort

Clive_Watson

Bronze Contributor

Jason Skaife

Maybe this will help? The columns RequestURL and SourceUserName have some outbound context but not always (in my limited data set at least)

let maxBytes = 20971520; //20MB - from Bytes (B) Binary
CommonSecurityLog
| where DeviceVendor == "Cisco"
| where DeviceProduct == "Firepower"
| extend bytesOut = extract('bytesOut=([^;]+)',1,AdditionalExtensions)
| where toreal(bytesOut) > maxBytes
| extend MBytesOut = toreal(bytesOut)/1024/1024
| summarize by MBytesOut, RequestURL, SourceUserName , DestinationIP, DestinationPort

Jason Skaife

Copper Contributor

Jan 07, 2022

Its strange,

Im seeing traffic and low level data being sent between my machine and WeTransfer but its not showing any files uploaded. Specifcially a 129MB file I uploaded. Also a colleague uploaded a file to iCloud and its not showing this and I also uploaded a file of 150MB to Google Drive. All the results it is displaying are destination IP's belonging to Microsoft or Amazon

Clive_Watson
Bronze Contributor
Jan 07, 2022
Maybe go back to simple query to look for your file?

CommonSecurityLog
| search " < insert file name here >

If not maybe these are being filtered out in your config?