Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

6 alerts match the current filters. technique: T1571 ✕

Show ATT&CK heatmap
  • Abnormal network communication through TOR using an uncommon port Low 2 variations

    Suspicious connection from a known TOR IP to an uncommon port.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)
    Required data: XDR Agent
    Attacker's goals: Attackers might use TOR IP combined with random ports.to hide C2 inbound communication from inside a host.
    Investigative actions: Investigate the network configuration related to the participating port.Investigate processes that were listening to that port.

    Variations

    Abnormal network communication through TOR using an uncommon port and App-id

    Low overridden

    Suspicious connection from a known TOR IP to an uncommon port and App-id. overridden

    Abnormal network communication through TOR using a suspicious port

    Low overridden

    Suspicious connection from a known TOR IP to an uncommon potential C2 communication port. overridden

  • Abnormal process connection to default Meterpreter port Informational 1 variation

    This process has probably been compromised by Meterpreter and is now used by it to run malicious commands.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Non-Standard Port (T1571)
    Required data: XDR Agent
    Attacker's goals: Run Metasploits's malicious post-exploitation tool named Meterpreter to further compromise the host.
    Investigative actions: Verify if the destination IP is running a Metasploit server. Look for malicious action being done by the suspicious process.

    Variations

    Abnormal process connection to default Meterpreter port on an internet-facing server

    Low overridden

    This process has probably been compromised by Meterpreter and is now used by it to run malicious commands. overridden

  • Download pattern that resembles Peer to Peer traffic Informational

    A possible P2P protocol was spotted from an internal host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.
    Investigative actions: confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.
  • Rare AppID usage to a rare destination Informational 2 variations

    Rare AppID with port usage to rare destination.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    14 Days
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Attacker's goals: Attackers might use well-known ports with uncommon applications to avoid being detected by a non-application aware firewall or to bypass firewall rules based only on ports.
    Investigative actions: Investigate the endpoints participating in the session.

    Variations

    Rare AppID usage to a rare destination using an unsigned process

    Low overridden

    Rare AppID with port usage to rare destination. overridden

    Rare AppID usage to a rare destination from an internet-facing server

    Low overridden

    Rare AppID with port usage to rare destination. overridden

  • Uncommon SSH session was established Low 14 variations

    An uncommon SSH session was established.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party Firewalls
    Detector tags: NDR Lateral Movement Analytics
    Attacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.
    Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.

    Variations

    An Uncommon SSH session was established using a rare server HASSH for the ssh server

    Low overridden

    An Uncommon SSH session was established using a rare server HASSH for the ssh server. overridden

    An Uncommon SSH session was established using a rare client HASSH for the agent

    Low overridden

    An uncommon SSH session was established using a rare client HASSH for the agent. overridden

    An Uncommon SSH session was established using a rare request banner for the agent

    Low overridden

    An Uncommon SSH session was established using a rare request banner for the agent. overridden

    An Uncommon SSH session was established using a rare Response banner for the ssh server

    Low overridden

    An Uncommon SSH session was established using a rare Response banner for the ssh server. overridden

    An Uncommon SSH session was established using a rare Response banner

    Low overridden

    An Uncommon SSH session was established using a rare Response banner. overridden

    An Uncommon SSH session was established using a rare request banner

    Low overridden

    An Uncommon SSH session was established using a rare request banner. overridden

    An Uncommon SSH session was established using a rare Client HASSH

    Low overridden

    An uncommon SSH session was established using a rare client HASSH. overridden

    An Uncommon SSH session was established using a rare Server HASSH

    Low overridden

    An Uncommon SSH session was established using a rare Server HASSH. overridden

    A suspicious SSH session was established

    Low overridden

    A suspicious SSH session was established to a globally rare external IP using a nonstandard SSH port. overridden

    An Uncommon SSH session was established to a rare IP address

    Low overridden

    An uncommon SSH session was established to a rare remote IP address. overridden

    An Uncommon SSH session was established using a nonstandard SSH port

    Low overridden

    An uncommon SSH session was established with a destination port using a nonstandard SSH port. overridden

    Uncommon SSH session was established to a rare internal IP

    Low overridden

    An uncommon SSH session was established to a rare internal IP. overridden

    Uncommon SSH session was established that involved a higher than usual volume

    Low overridden

    Uncommon SSH session was established that involved a higher than usual volume. overridden

    Uncommon SSH session was established to an internal IP

    Informational overridden

    An uncommon SSH session was established to an internal IP. overridden

  • Upload pattern that resembles Peer to Peer traffic Informational

    A possible P2P protocol was spotted from an internal host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)
    ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)
    Required data: Palo Alto Networks Firewall traffic Logs XDR Agent
    Attacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.
    Investigative actions: Confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.