Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0005 ✕ technique: T1071 ✕
Show ATT&CK heatmapGlobally uncommon IP address connection from a signed process Informational 3 variations
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Verify the destination IP address reputation. Check whether the actor process loaded a suspicious DLL before the alert. Check if the actor process was injected before the alert. Verify whether the process execution and connections are legitimate.Variations
Globally uncommon IP address connection from an injected thread in a signed process
Medium overridden
An injected thread in a signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon IP address connection from a signed process from a known vendor
Medium overridden
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon and very rare IP address connection from a signed process
Low overridden
A signed process connected to an external IP address that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process Low 4 variations
A signed process connected to an external domain that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root domain from an injected thread in a signed process
High overridden
An injected thread in a signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
High overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
High overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root domain from a signed process
Medium overridden
A signed process connected to an external domain that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process Low 4 variations
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: System Binary Proxy Execution (T1218) Application Layer Protocol (T1071)Required data: XDR AgentDetector tags: Global Anomaly AnalyticsAttacker's goals: Attackers may use various methods to execute code in the context of a signed process to avoid detection.Investigative actions: Check the destination domain reputation. Check if the actor process loaded a suspicious dll before the alert. Check if the actor process was injected before the alert. Check if the process execution and connections are legitimate.Variations
Globally uncommon root-domain port combination from an injected thread in a signed process
High overridden
An injected thread in a signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
High overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
High overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden
Globally uncommon root-domain port combination from a signed process
Medium overridden
A signed process connected to an external domain on a specific port that, on a global level, it usually doesn't connect to. overridden