Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0043 ✕ technique: T1595 ✕
Show ATT&CK heatmapAbnormal RPC traffic to multiple hosts Low 1 variation
The endpoint performed unfamiliar RPC activity to multiple hosts.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Active Scanning (T1595) Active Scanning: Vulnerability Scanning (T1595.002)Required data: Palo Alto Networks Firewall EAL Logs XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.Investigative actions: Check if the host is a newly deployed server that provides RPC based services to multiple hosts. Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.Variations
Abnormal RPC traffic to multiple IPs
Informational overridden
The endpoint performed unfamiliar RPC activity to multiple hosts. overridden
Abnormal SMB scanning activity to multiple hosts Informational 4 variations
An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 20 Minutes
- Deduplication:
- 2 Days
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Active Scanning (T1595)Required data: XDR AgentAttacker's goals: An adversary may use different protocols to enumerate and plan its lateral movement over the network.Investigative actions: Verify if the host is a newly deployed server that consists of SMB services to multiple hosts or periodic network mapping services. Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.Variations
Highly rare SMB scanning activity to multiple hosts
Low overridden
An endpoint performed a new, and highly rare, SMB scanning activity to multiple hosts on the network. overridden
Highly rare SMB scanning activity to multiple hosts
Low overridden
An endpoint performed a new, and highly rare SMB scanning activity to multiple hosts on the network. overridden
Abnormal SMB scanning activity to multiple hosts
Low overridden
An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network. overridden
Abnormal SMB scanning activity to multiple hosts
Low overridden
An endpoint performed a new, unfamiliar SMB scanning activity to multiple hosts on the network. overridden
Subdomain Fuzzing Low 1 variation
The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 20 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Reconnaissance (TA0043)ATT&CK techniques: Active Scanning: Wordlist Scanning (T1595.003)Required data: Palo Alto Networks Firewall EAL Logs XDR AgentAttacker's goals: Scan a known external facing asset to gain knowledge about the organization.Investigative actions: Verify that the domain doesn't host numerous subdomains. Verify that the source of the scan is not a known external scanner.Variations
Subdomain Fuzzing To a Rare Destination
Medium overridden
The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network. overridden