Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

3 alerts match the current filters. tactic: TA0043 ✕ technique: T1595 ✕

Show ATT&CK heatmap
  • Abnormal RPC traffic to multiple hosts Low 1 variation

    The endpoint performed unfamiliar RPC activity to multiple hosts.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Active Scanning (T1595) Active Scanning: Vulnerability Scanning (T1595.002)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.
    Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.

    Variations

    Abnormal RPC traffic to multiple IPs

    Informational overridden

    The endpoint performed unfamiliar RPC activity to multiple hosts. overridden

  • Abnormal SMB scanning activity to multiple hosts Informational 4 variations

    An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    20 Minutes
    Deduplication:
    2 Days
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Active Scanning (T1595)
    Required data: XDR Agent
    Attacker's goals: An adversary may use different protocols to enumerate and plan its lateral movement over the network.
    Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts or periodic network mapping services. Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.

    Variations

    Highly rare SMB scanning activity to multiple hosts

    Low overridden

    An endpoint performed a new, and highly rare, SMB scanning activity to multiple hosts on the network. overridden

    Highly rare SMB scanning activity to multiple hosts

    Low overridden

    An endpoint performed a new, and highly rare SMB scanning activity to multiple hosts on the network. overridden

    Abnormal SMB scanning activity to multiple hosts

    Low overridden

    An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network. overridden

    Abnormal SMB scanning activity to multiple hosts

    Low overridden

    An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network. overridden

  • Subdomain Fuzzing Low 1 variation

    The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    20 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Reconnaissance (TA0043)
    ATT&CK techniques: Active Scanning: Wordlist Scanning (T1595.003)
    Required data: Palo Alto Networks Firewall EAL Logs XDR Agent
    Attacker's goals: Scan a known external facing asset to gain knowledge about the organization.
    Investigative actions: Verify that the domain doesn't host numerous subdomains. Verify that the source of the scan is not a known external scanner.

    Variations

    Subdomain Fuzzing To a Rare Destination

    Medium overridden

    The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network. overridden