Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. technique: T1095 ✕

Show ATT&CK heatmap
  • Abnormal Communication to a Rare Domain Informational 3 variations

    An abnormal communication was seen from an internal entity to a rare domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Application Layer Protocol (T1095)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR C2 Detection
    Attacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.
    Investigative actions: Identify if the external domain belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate domain names, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious domain name. Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.

    Variations

    Abnormal Communication to a Rare Domain With a Port Commonly Used by Attack Platforms

    Low overridden

    An abnormal communication was seen from an internal entity to a rare domain. overridden

    Abnormal Communication to a Rare Domain to a Suspicious Autonomous System (AS)

    Informational overridden

    An abnormal communication was seen from an internal entity to a rare domain. overridden

    Abnormal Communication to a Rare Domain With a Less Common Port

    Informational overridden

    An abnormal communication was seen from an internal entity to a rare domain. overridden

  • Abnormal Recurring Communications to a Rare Domain Informational 4 variations

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Application Layer Protocol (T1095)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR C2 Detection
    Attacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.
    Investigative actions: Identify if the external domain belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate domain names, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious domain name. Examine file-system operations performed by the process that initiated the traffic and look for potential artifacts on infected endpoints.

    Variations

    Abnormal Recurring Communications to a Rare Domain With a Port Commonly Used by Attack Platforms

    Low overridden

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden

    Abnormal Recurring Communications to a Rare Domain to a Suspicious Autonomous System (AS)

    Low overridden

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden

    Abnormal Recurring Communications to a Rare Domain With an Abnormal Domain Suffix

    Informational overridden

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden

    Abnormal Recurring Communications to a Rare Domain With a Less Common Port

    Low overridden

    Abnormal communications were seen from an internal entity to a rare external domain. This could be a case of beaconing to a C2 Server. overridden

  • Rare communication over email ports to external email server by unsigned process Low

    These methods are used by malware and attackers to leak data and remain undetected.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Application Layer Protocol (T1095)
    Required data: XDR Agent
    Detector tags: EDR Windows C2 Analytics
    Attacker's goals: Attackers might use well-known email ports as a C&C channel to evade detection and firewall rules.
    Investigative actions: Check whether the initiator process is benign or normal for the host and/or user performing it. Check whether additional malicious commands were executed from the same process.
  • Recurring access to rare IP Low

    The endpoint is periodically accessing an external fixed-IP address that its peers rarely use. Access to this external IP address has occurred repeatedly over many days.This connection pattern is consistent with malware connecting to its command and control server for updates and operating instructions.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    21 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Application Layer Protocol (T1095)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Communicate with malicious code running on your network enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.
    Investigative actions: Identify if the IP address belongs to a reputable organization or an asset used in a public cloud. Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used or unusual ports or volumes accessed. View all related traffic generated by the suspicious process to understand the purpose. Look for other endpoints on your network that are also contacting the suspicious IP address. Examine file-system operations performed by the process to look for potential artifacts on infected endpoints.