Analytics Alerts
Browse the Cortex analytics alert reference.
4 alerts match the current filters. technique: T1095 ✕
Show ATT&CK heatmapAbnormal Communication to a Rare Domain Informational 3 variations
An abnormal communication was seen from an internal entity to a rare domain.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Application Layer Protocol (T1095)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR C2 DetectionAttacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.Investigative actions: Identify if the external domain belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate domain names, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious domain name. Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.Variations
Abnormal Communication to a Rare Domain With a Port Commonly Used by Attack Platforms
Low overridden
An abnormal communication was seen from an internal entity to a rare domain. overridden
Abnormal Communication to a Rare Domain to a Suspicious Autonomous System (AS)
Informational overridden
An abnormal communication was seen from an internal entity to a rare domain. overridden
Abnormal Communication to a Rare Domain With a Less Common Port
Informational overridden
An abnormal communication was seen from an internal entity to a rare domain. overridden
Abnormal Recurring Communications to a Rare Domain Informational 4 variations
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Application Layer Protocol (T1095)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR C2 DetectionAttacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.Investigative actions: Identify if the external domain belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate domain names, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious domain name. Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.Variations
Abnormal Recurring Communications to a Rare Domain With a Port Commonly Used by Attack Platforms
Low overridden
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden
Abnormal Recurring Communications to a Rare Domain to a Suspicious Autonomous System (AS)
Low overridden
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden
Abnormal Recurring Communications to a Rare Domain With an Abnormal Domain Suffix
Informational overridden
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden
Abnormal Recurring Communications to a Rare Domain With a Less Common Port
Low overridden
Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden
Rare communication over email ports to external email server by unsigned process Low
These methods are used by malware and attackers to leak data and remain undetected.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Application Layer Protocol (T1095)Required data: XDR AgentDetector tags: EDR Windows C2 AnalyticsAttacker's goals: Attackers might use well-known email ports as a C&C channel to evade detection and firewall rules.Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.Recurring access to rare IP Low
The endpoint is periodically accessing an external fixed-IP address that its peers rarely use. Access to this external IP address has occurred repeatedly over many days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 21 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Application Layer Protocol (T1095)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.Investigative actions: Identify if the IP address belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious IP address. Examine file-system operations performed by the process to look for potential artifacts on infected endpoints.