High Connection Rate

The Cortex XDR – Analytics High Connection Rate alert indicates that an endpoint is performing an unusually high number of successful connections to susceptible ports on a remote endpoint.

Synopsis

1 hour.
10 days.
14 days.
1 day.
Traffic logs or Traps endpoint data.
Lateral movement, discovery.

Description

An endpoint is performing an unusually large number of successful connections to susceptible ports on one or more remote endpoints. Susceptible ports are ports used by servers that might be used by attackers for a number of malicious reasons.
The detector assumes normal users do not initiate a large number of connections to specific destinations on susceptible ports, and that a large number of users are not initiating multiple sessions to those ports on a routine basis.

Attacker's Goals

This alert could indicate any of the following:
  • An attacker is scraping data services for useful data; for example, dumping an entire database or Active Directory.
  • The attacker might be seeking authentication credentials using a brute force username and password attack against the service.
  • The attacker might be using fuzz testing to look for vulnerabilities on the remote endpoint. Fuzz testing sends unexpected, invalid, and/or random data to software. In this context, the attacker is likely using the fuzzer in an attempt to discover buffer overflow vulnerabilities in the server.

Investigative Actions

  • Examine Alert DetailsOverview to identify the source endpoint, process running the scan, and process owner, to determine who or what is performing the network activity.
  • Examine the endpoint profile to identify the process that is being used for the suspicious connections.

Related Documentation