The Cortex XDR – Analytics Failed Connections alert indicates that a endpoint has an abnormally high level of failed connections to other endpoints which have been inactive for a long time, or that have never been seen on the network.
Every 10 minutes.
Traffic logs or Traps endpoint data.
An endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR – Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.
It is possible that your network has legitimate scanners that could cause a false positive for this alert. Cortex XDR – Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.
An attacker does not know your network and is exploring it for new or unknown subnets.
- Validate that the source is not a sanctioned port scanner.
- Check for suspicious artifacts in the endpoint profile.
Possible Cortex XDR – Analytics Alerts
All possible Cortex XDR – Analytics alerts grouped by attack category. ...
Large Upload FTP
Large Upload (FTP) The Cortex XDR – Analytics Large Upload (FTP) alert indicates that a non-FTP server process is transferring an excessive amount of data. Synopsis ...
New Administrative Behavior
New Administrative Behavior The Cortex XDR – Analytics New Administrative Behavior alert indicates that an endpoint is performing administrative network activities, but the endpoint historically does ...
Cortex XDR – Analytics's Coverage of the Attack Lifecycle
Cortex XDR – Analytics Coverage of the Attack Tactics Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack will ...
Reverse Connection The Cortex XDR – Analytics Reverse Connection alert indicates that an endpoint is performing successive connections in a manner that exceeds baseline expectations for ...
SMB/KRB Traffic from Non-Standard Process
SMB/KRB Traffic from Non-Standard Process The Cortex XDR – Analytics SMB/KRB Traffic from Non-Standard Process alert indicates that a non-standard process has initiated traffic from ports ...
Failed DNS The Cortex XDR – Analytics Failed DNS alert indicates an endpoint is performing an unusually large number of failed DNS resolutions when compared to ...
Random Looking DNS
Random Looking DNS The Cortex XDR – Analytics Random Looking DNS alert indicates an endpoint is performing DNS lookups to a large number of unique, apparently ...