Analytics Alerts
Browse the Cortex analytics alert reference.
7 alerts match the current filters. tactic: TA0007 ✕ technique: T1046 ✕
Show ATT&CK heatmapAn internal Cloud resource performed port scan on external networks Medium Cloud
An internal cloud resource attempted to connect to the same destination port of multiple external IP addresses.This may be a result of the cloud resource being hijacked by an attacker.Attackers perform port scans on a specific destination port for reconnaissance purposes, to detect known vulnerable services that accept connections in the specific port, and perform targeted attacks against them.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Impact (TA0040)ATT&CK techniques: Network Service Discovery (T1046) Resource Hijacking (T1496) Cloud Service Discovery (T1526)Required data: AWS Flow Log AWS OCSF Flow Logs Azure Flow Log Gcp Flow Log XDR AgentAttacker's goals: Detect vulnerable services, which listen on known ports and are opened to the Internet.Investigative actions: Check if similar activity was performed on additional cloud resources. Check if similar activity was performed against additional ports and external ip addresses from the same cloud resource. Check which process triggered the port scanning activity and for what purpose.Kerberos Traffic from Non-Standard Process Medium 1 variation
The endpoint had a non-standard process communicating over ports normally used by Kerberos. An attacker might be using malicious tools to move laterally.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: using a custom protocol implementation that offers malicious functionality Using the well-known Kerberos port with a different protocol to evade detection.Either way, the attacker's goal is to gain access to another endpoint on your network.The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware. Check if this process was running on other endpoints as well.Variations
Rare Kerberos Traffic from a Process
Low overridden
The endpoint had a non-standard process communicating over ports normally used by Kerberos. An attacker might be using malicious tools to move laterally. overridden
Port Scan Informational 3 variations
The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: Palo Alto Networks Firewall traffic Logs Third-Party FirewallsAttacker's goals: An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.Investigative actions: New endpoints that use multiple ports can cause a false positive. Ensure that the endpoint is not new on the network, and is not hosting services such as FTP servers or domain controllers that are being contacted for the first time. Check if the activity is a SYN-ACK scan. These might result in Cortex XDR Analytics detecting the scan as coming from the wrong direction, and could mean that Cortex XDR Analytics used the wrong baseline in triggering the alert. Check for port map and/or X11 usage. These usually open multiple ports. If the protocol usage for the specific destination is sparse, Cortex XDR Analytics could raise a false alert.Variations
Port scan by suspicious process
Low overridden
The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden
Highly suspicious port scan
Medium overridden
The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden
Suspicious port scan
Low overridden
The endpoint connected, or attempted to connect, to multiple privileged ports, which are infrequently used by other endpoints (i.e. destination ports that are normally used by many endpoints will not raise this alert).Attackers perform port scans for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port scans using data arriving solely from Cortex agents is incomplete. overridden
Port Sweep Informational 1 variation
The endpoint connected, or attempted to connect, to multiple hosts using privileged ports that serve a well-defined function.Attackers perform port sweep for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port sweeps using data arriving solely from Cortex agents is incomplete.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.Investigative actions: Ensure that the source of the port sweep is not a new server in the network. New domain controllers or servers hosting services such as SNMP can cause false positives. Check for new known vulnerabilities in the ports scanned, this method is often used to target known vulnerabilities.Variations
Port Sweep to multiple subnets
Low overridden
The endpoint connected, or attempted to connect, to multiple hosts using privileged ports that serve a well-defined function.Attackers perform port sweep for reconnaissance purposes, to find computers or servers that accept connections on these ports, and to find vulnerable services that can be exploited.Coverage for port sweeps using data arriving solely from Cortex agents is incomplete. overridden
Possible network service discovery via command-line tool Low
An attacker may use command-line utilities to discover open ports and services on a remote host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 6 Hours
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: Unavailable.Investigative actions: Unavailable.SMB Traffic from Non-Standard Process Low 1 variation
SMB traffic is usually performed by a standard set of privileged processes through designated ports.The endpoint had a non-standard process communicating over ports normally used by SMB.An attacker might be moving laterally by using tools that implement a custom version of the SMB protocol.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: using a custom protocol implementation that offers malicious functionality Using the well-known SMB port with a different protocol to evade detection. Either way, the attacker's goal is to gain access to another endpoint on your network.The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.Investigative actions: Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB. Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots. Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation. Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.Variations
SMB Traffic from Non-Standard Process on a sensitive server
Medium overridden
SMB traffic is usually performed by a standard set of privileged processes through designated ports.The endpoint had a non-standard process communicating over ports normally used by SMB.An attacker might be moving laterally by using tools that implement a custom version of the SMB protocol. overridden
Unusual internal access to network device management interface Informational
Unusual internal access to Palo Alto Networks device on management port.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Discovery (TA0007)ATT&CK techniques: Remote Services (T1021) Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: Attackers aim to compromise network infrastructure to redirect traffic, create illegitimate VPN tunnels, modify ACLs (Access Control Lists) to bypass segmentation, or perform Man-in-the-Middle (MitM) attacks.Investigative actions: Identify the source address and machine role (e.g., Is it a known Admin Jump Host or a standard workstation?). Validate if a change request exists for the target network device at the time of the event. Check the connection protocol (SSH/HTTPS vs. insecure Telnet/HTTP) and the port used. Review the login status: Was the authentication successful or failed? Investigate the source machine for network scanning tools or terminal clients (e.g., PuTTY, SecureCRT). Analyze the causality chain: Did a suspicious process launch the connection?. Check if the user associated with the source address has network administration privileges.