The Cortex XDR – Analytics Consecutive Connects alert indicates that the app detected multiple connections between endpoints, which is unusual behavior.
Enhanced Application logs can increase detection accuracy and provide additional context for the alert.
Two connections between endpoints have been detected that might be indicative of an attacker establishing an interactive shell with a remote endpoint. The first connection probably is short in duration, with a data volume that is consistent with exploitation traffic. The second connection occurs a brief period of time after the first is established, and is to the same endpoint but with a different port. This connection pattern is unusual when compared against the baseline for the endpoint and its peer group.
The attacker has established a connection to a remote machine. It is possible that they are using the connection to control that machine.
This might be symptomatic of an attacker moving from one endpoint to another as part of a manually-operated attack. If true, the attacker is using the initial connection to open a new socket on the destination, either through legitimate use of a service running on the destination, or by exploiting a service vulnerability. In this scenario, the attacker then uses a second, follow-on connection to the destination in order to continue the attack; such as by uploading a new stage in a staged payload or accessing the new bind shell.
Make sure the identified endpoint is not legitimately running an application that routinely creates a control and data channel as these can result in a false-positive for this alert. Examples of this type of application are Skype, and FTP in active mode.
Failed Connections The Cortex XDR – Analytics Failed Connections alert indicates that a endpoint has an abnormally high level of failed connections to other endpoints which ...
Reverse Connection The Cortex XDR – Analytics Reverse Connection alert indicates that an endpoint is performing successive connections in a manner that exceeds baseline expectations for ...
Recurring Rare IP Access
Recurring Rare IP Access The Recurring Rare IP Access alert indicates an endpoint is repeatedly connecting to an external endpoint IP address in a way ...
Possible Cortex XDR – Analytics Alerts
All possible Cortex XDR – Analytics alerts grouped by attack category. ...
Recurring Rare Domain Access
Recurring Rare Domain Access The Cortex XDR – Analytics Recurring Rare Domain Access alert indicates an endpoint is connecting repeatedly to an external domain in a ...
High Connection Rate
High Connection Rate The Cortex XDR – Analytics High Connection Rate alert indicates that an endpoint is performing an unusually high number of successful connections to ...
Port Scan The Cortex XDR – Analytics Port Scan alert indicates that an endpoint is scanning remote endpoints for open privileged ports. Synopsis Detection Frequency Every ...
New Administrative Behavior
New Administrative Behavior The Cortex XDR – Analytics New Administrative Behavior alert indicates that an endpoint is performing administrative network activities, but the endpoint historically does ...