Failed Connections

The Cortex XDR – Analytics Failed Connections alert indicates that a endpoint has an abnormally high level of failed connections to other endpoints which have been inactive for a long time, or that have never been seen on the network.


Every 10 minutes.
14 days.
21 days.
3 days.
Traffic logs or Traps endpoint data.


An endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR – Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.
It is possible that your network has legitimate scanners that could cause a false positive for this alert. Cortex XDR – Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.

Attacker's Goals

An attacker does not know your network and is exploring it for new or unknown subnets.

Investigative Actions

  • Validate that the source is not a sanctioned port scanner.
  • Check for suspicious artifacts in the endpoint profile.

Related Documentation