Top Files Transferred Widget
The Top Files Transferred widget displays a table of the largest or most notable files transferred across your network, including file hashes, names, sizes, and malware detection alerts. This is a key data loss prevention (DLP) widget — use it to monitor for large file exfiltration, identify files flagged by malware engines, and track file transfer patterns.
Configuration
Click + Add Widget, select Top Files Transferred, and click Next.
Field | Required | Description | Default |
Widget Name | Yes | A title (e.g., 'Top Files Transferred'). | — |
Time Range | No | Period to display. | Use Global |
Query | No | A DataBee search query to filter file transfer records. | Empty |
Sort Column | No | Which column determines the 'top' files. | file_size |
Sort Order | No | Ascending or Descending. | Descending |
Sort Options
The Sort Column controls how the top 10 files are selected:
Sort Column | What It Prioritizes | Use When |
file_size | Largest files first. | Looking for potential data exfiltration — large file transfers are a common indicator. |
file_name | Alphabetical by file name. | Searching for specific file types or naming patterns. |
file_hash | By file hash. | Grouping files with identical content (same hash = same file). |
malware_alerts | Files with the most malware detections. | Prioritizing the most dangerous files — those flagged by multiple detection engines. |
Tip: Set Sort Column to malware_alerts with Descending order to immediately surface the most dangerous files. Files detected by multiple malware engines appear at the top.
Understanding the Table
Column | Description |
File Hash | The SHA-256 hash (truncated to 11 characters). Hover to see the full hash. Click to search for all transfers of this file. |
Name | The file name and extension (e.g., medical.flac, director.html). Shows '-' if the file name is unknown. |
Size | Human-readable file size (e.g., 973.94 kB). Hover to see the exact byte count. |
Malware Alerts | Names of malware engines that flagged this file, shown in bold red text (e.g., 'Hector Machine Learning Engine'). Multiple alerts are comma-separated. Shows '-' if no alerts were triggered. |
Query Syntax
The Query field accepts DataBee's search query syntax to filter which records are included. If left blank, all records in the selected table within the time range are included.
Basic Syntax
Queries follow the format: field_name operator value
Supported Operators
Operator | Description | Example |
in | Field value matches the specified value(s). Use parentheses for multiple values. | severity_id in (4,5,6) |
notin | Field value does NOT match the specified value(s). | status_id notin (0,99) |
contains | Field value contains the specified substring. | message contains ransomware |
between | Field value falls between two values (inclusive). Separate with comma. | traffic.bytes between 1000,50000 |
Combining Conditions
Use "and" to combine multiple conditions. For example: severity_id in (4,5) and metadata.product.name in CrowdStrike
Nested Field Paths
Access nested fields using dot notation. Common paths include:
Path | Description |
metadata.product.name | The security product that generated the event (e.g., CrowdStrike, Qualys) |
src_endpoint.ip | Source IP address |
dst_endpoint.ip | Destination IP address |
device.name | Device hostname |
user.name | Username |
finding.severity | Finding severity level |
Note: The widget's Time Range setting automatically filters by time — you do not need to include time filters in the Query field.
Query Examples for Top Files Transferred
Scenario | Query |
Only files with malware alerts | malwares contains alert |
Files from CrowdStrike detections | metadata.product.name in CrowdStrike |
Only executable files | file.name contains .exe |
Large files only (>1MB) | file.size between 1000000,999999999 |
Files from a specific device | device.name in workstation-42 |
Interactive Features
- Click any file hash to pivot to Search, showing the complete transfer history for that file — including source/destination endpoints, timestamps, and associated network activity.
- Hover over truncated hashes to see the full SHA-256 value.
- Hover over file sizes to see the exact byte count.