* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Playbook of the Week: Str...

# Playbook of the Week: Streamlining Suspicious Data Upload Alert Investigations

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-streamlining-suspicious-data-upload-alert-investigations%2F)  
[](https://twitter.com/share?text=Playbook+of+the+Week%3A+Streamlining+Suspicious+Data+Upload+Alert+Investigations&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-streamlining-suspicious-data-upload-alert-investigations%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-streamlining-suspicious-data-upload-alert-investigations%2F&title=Playbook+of+the+Week%3A+Streamlining+Suspicious+Data+Upload+Alert+Investigations&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-suspicious-data-upload-alert-investigations/&ts=markdown)  
\[\](mailto:?subject=Playbook of the Week: Streamlining Suspicious Data Upload Alert Investigations)  
Link copied  
By [Tal Nossen](https://www.paloaltonetworks.com/blog/author/tal-nossen/?ts=markdown "Posts by Tal Nossen")  
Apr 05, 2024  
5 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown)  
[Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)  
[XSOAR playbook](https://www.paloaltonetworks.com/blog/tag/xsoar-playbook/?ts=markdown)

### **Manual Investigations: The Struggle Is Real**

Data exfiltration refers to the unauthorized transfer of sensitive or confidential information from a network or system to an external location. This covert activity often occurs stealthily, exploiting vulnerabilities in security protocols or utilizing sophisticated malware. Data exfiltration poses significant threats to organizations, as it can lead to breaches of privacy, intellectual property theft, and financial losses. Investigating data exfiltration security alerts, particularly those triggered by analytics, can be challenging for organizations, often requiring significant amounts of time and resource effort to determine the source and extent of the breach.

Additionally, manual investigation processes can be time-consuming and subject to human error, resulting in slower response times and exacerbating the impact of breaches.

Thus, we are pleased to introduce the [Cortex XDR- Large Upload](https://xsoar.pan.dev/docs/reference/playbooks/cortex-xdr---large-upload) playbook. This playbook is designed to streamline the management of [Cortex XDR analytics](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference/Cortex-XDR-Analytics-Alert-Reference) "large upload" alerts, speeding the investigation process and providing efficiency and precision when confronting data exfiltration threats.

**What are Large Upload alerts?**

In most organizations, data exfiltration occurs via standard channels like Google, Dropbox, and smaller file-sharing sites. Since some protocols, such as HTTPS, are permitted, it is relatively straightforward to exfiltrate data. You can prevent data exfiltration by identifying large uploads that may indicate a vulnerability in your network.

Cortex XDR large upload alerts are notifications triggered by the detection of significant amounts of data being uploaded from an organization's network to an external destination. These alerts indicate potential security breaches or unauthorized data exfiltration attempts. Large upload alerts highlight anomalies in network traffic patterns, providing insights into activities that deviate from normal behavior. Such anomalies can range from a sudden surge in data transfer volumes to suspicious destinations or protocols.

**The Large Upload playbook flow**

The[playbook](https://xsoar.pan.dev/docs/reference/playbooks/cortex-xdr---large-upload) investigates Cortex XDR incidents involving large upload alerts and is designed to run as a sub-playbook within [Cortex XDR Alerts Handling v2](https://xsoar.pan.dev/docs/reference/playbooks/cortex-xdr-alerts-handling-v2). This playbook supports all Cortex XDR large upload alert types ([Generic](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference-by-detector/Large-Upload-Generic), [HTTPS](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference-by-detector/Large-Upload-HTTPS), [FTP](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference-by-detector/Large-Upload-FTP), [SMTP](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference-by-detector/Large-Upload-SMTP)). The playbook automates and streamlines the investigation process, significantly reducing the time and effort required to identify and respond to large upload alerts. Let's delve into the playbook's workflow to understand how it simplifies the investigation process.

1. **Searching for similar incidents**

The playbook starts by searching for similar, previous incidents that were closed as false positives. If such incidents are found and the user has set the 'FurtherInvestigation' playbook input to 'true,' the playbook intelligently skips unnecessary steps, saving both time and server resources.

2. **Enrichment**

To avoid wasting resources on inconsequential data, the enrichment section of the playbook first checks the volume of uploaded data against the 'Transferred\_Data\_Threshold' playbook input configured by the user. If the volume is below the threshold, the playbook skips ahead, ensuring efficiency. It then enriches the initiator and destination hostnames and IP addresses, the initiator username, and the SHA256 hash of the initiator file.

3\*\*. Analysis\*\*

As part of the analysis stage, the playbook checks for additional alerts within the investigation and checks if the initiator process is signed and if the initiator host is an FTP or SMTP server. To ensure alignment with the organization's policies, the playbook checks the name of the initiator process and the Firewall App ID associated with the traffic. The playbook compares this with the company's known and trusted App IDs and Process Names set in the 'FWApps\_Processes\_Whitlist' playbook input.
![Figure 1: Analysis](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-317297-1.png)
Figure 1: Analysis

4. **Containment**

Throughout this phase of the playbook, any malicious indicators identified thus far will be blocked if the 'EarlyContainment' playbook input is set to true to limit the damage caused by the current security incident.

5. **Investigation**

To identify additional suspicious activities or alerts, the playbook investigates the initiator username, hostname, and command line to provide a comprehensive understanding of the incident. Within this stage, the playbook also detects related indicators and analyzes their relationships. This step is crucial to properly understand the broader context of the incident and identify potential patterns that may indicate malicious activity.
![Fig 2: Investigation](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/04/word-image-317297-2.png)
Fig 2: Investigation

6. **Verdict and Threat Hunting and Blocking**

The alert verdict is calculated using the information gathered so far by the playbook. Threats are hunted if the alert verdict indicates malicious activity. With detected indicators, the sub-playbook conducts threat hunting and provides security teams with actionable insights. If malicious indicators are confirmed, the playbook blocks them as part of the remediation phase, preventing further compromise.

7. **Remediation**

Upon locating additional indicators, the playbook blocks them and isolates affected endpoints if the input for "AutoIsolateEndpoint" is set to 'true,' containing the threat and limiting its impact.

**Wrapping Up: Advancing Incident Response with the Large Upload Playbook**

In most organizations, data exfiltration occurs via standard channels like Google, Dropbox, and smaller file-sharing sites. Data exfiltration is relatively straightforward because some protocols, such as HTTPS, are typically permitted in organizations. Ultimately strengthening defense against evolving data exfiltration threats will result from responding quickly and decisively to potential exfiltration threats through automation and optimization of the investigation process.

Considering the sensitivity of data and the potential impact of unauthorized uploads, promptly identifying and investigating large upload alerts is paramount to maintaining a robust cybersecurity posture.

**Get started on your security automation journey. Download our e-book *"*** [***A Practical Guide to Deploying SecOps Automation."***](https://www.paloaltonetworks.com/resources/ebooks/practical-guide-secops-automation)

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### An Automated Response to Malicious Pod Activity](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/an-automated-response-to-malicious-pod-activity/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Rapid Response for Fighting Ursa Phishing Campaign](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/rapid-response-for-fighting-ursa-phishing-campaign/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Response to Living-Off-the-Land (LOTL) Attacks](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-response-to-living-off-the-land-lotl-attacks/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Prisma Cloud Compute - Compliance Alert v2](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-prisma-cloud-compute-compliance-alert-v2/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Management of XDR Identity Analytics Alerts](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-management-of-xdr-identity-analytics-alerts/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Prisma Cloud Compute - Audit Alert v3](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-prisma-cloud-compute-audit-alert-v3/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language