Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0002 ✕ technique: T1071 ✕

Show ATT&CK heatmap
  • Scripting engine connected to a rare external host Low 3 variations

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Execution (TA0002)
    ATT&CK techniques: Application Layer Protocol (T1071) Command and Scripting Interpreter (T1059)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Connect to the attacker's Command and Control server.
    Investigative actions: Check the external address the process connects to. Fetch and investigate the executed script.

    Variations

    Scripting engine failed to connect to a rare external host

    Informational overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Scripting engine with a modified image name connected to a rare external host

    Low overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden

    Windows LOLBIN scripting engine connected to a rare external host

    Medium overridden

    Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity. overridden