Skip to main content

Cortex XDR - Large Upload

This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

The playbook investigates Cortex XDR incidents involving large upload alerts. The playbook is designed to run as a sub-playbook of ‘Cortex XDR Alerts Handling v2’.

The playbook consists of the following procedures:

  • Searches for similar previous incidents that were closed as false positives.
  • Enrichment and investigation of the initiator and destination hostname and IP address.
  • Enrichment and investigation of the initiator user, process, file, or command if it exists.
  • Detection of related indicators and analysis of the relationship between the detected indicators.
  • Utilize the detected indicators to conduct threat hunting.
  • Blocks detected malicious indicators.
  • Endpoint isolation.

This playbook supports the following Cortex XDR alert names:

  • Large Upload (Generic)
  • Large Upload (SMTP)
  • Large Upload (FTP)
  • Large Upload (HTTPS)


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Block Indicators - Generic v3
  • Entity Enrichment - Generic v3
  • TIM - Indicator Relationships Analysis
  • Cortex XDR - Isolate Endpoint
  • Cortex XDR - Endpoint Investigation
  • Cortex XDR - Search and Compare Process Executions - XDR Alerts
  • User Investigation - Generic
  • Threat Hunting - Generic
  • Command-Line Analysis


  • CortexXDRIR


  • Set
  • DBotFindSimilarIncidents


  • setIncident
  • xdr-get-cloud-original-alerts

Playbook Inputs#

NameDescriptionDefault ValueRequired
InternalIPRangesA list of IP ranges to check the IP against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: ",," (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).lists.PrivateIPsOptional
FurtherInvestigationDetermines whether an incident should be further investigated if similar previous false positive incidents were found.
Possible values:True/False. Default: False.
AutoBlockIndicatorsDetermine whether the given indicators be automatically blocked, or if the user should be given the option to choose.
Possible values:True/False. Default: True.
If set to False - no prompt will appear, and all provided indicators will be blocked automatically.
If set to True - the user will be prompted to select which indicators to block.
BlockIndicators_UserVerificationDetermine whether the blocking of any indicator requires the verification of the user.
Possible values:True/False. Default: False.
EarlyContainmentWhether early containment should be allowed when the IP address is known to be malicious.
Possible values:True/False. Default: True.
AutoIsolateEndpointWhether to isolate the initiating endpoint automatically if the investigation verdict is malicious.
Possible values:True/False. Default: False.
Alert_IDThe Cortex XDR alert ID.PaloAltoNetworksXDR.Incident.alerts.alert_idOptional
Transferred_Data _ThresholdSpecify the uploaded data threshold volume (in MB) from which large upload alerts should be investigated.
By setting a threshold, you will be able to determine which large upload alerts require investigation.
Default value: 150 (MB).
FWApps_Processes_WhitlistA list of known and authorized FW application IDs and processes used in the organization.ip,tcp,udp,ssl,syslog,quic,Chrome.exe,Firefox.exe,Opera.exe,Safari.exe,iexplore.exe,msedge.exe,brave.exeOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Cortex XDR - Large Upload