Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0008 ✕ technique: T1046 ✕
Show ATT&CK heatmapUnusual internal access to network device management interface Informational
Unusual internal access to Palo Alto Networks device on management port.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Lateral Movement (TA0008) Discovery (TA0007)ATT&CK techniques: Remote Services (T1021) Network Service Discovery (T1046)Required data: XDR AgentAttacker's goals: Attackers aim to compromise network infrastructure to redirect traffic, create illegitimate VPN tunnels, modify ACLs (Access Control Lists) to bypass segmentation, or perform Man-in-the-Middle (MitM) attacks.Investigative actions: Identify the source address and machine role (e.g., Is it a known Admin Jump Host or a standard workstation?). Validate if a change request exists for the target network device at the time of the event. Check the connection protocol (SSH/HTTPS vs. insecure Telnet/HTTP) and the port used. Review the login status: Was the authentication successful or failed? Investigate the source machine for network scanning tools or terminal clients (e.g., PuTTY, SecureCRT). Analyze the causality chain: Did a suspicious process launch the connection?. Check if the user associated with the source address has network administration privileges.