High Connection Rate
The Cortex XDR – Analytics High Connection Rate alert indicates that an endpoint is performing an unusually high number of successful connections to susceptible ports on a remote endpoint.
Traffic logs or Traps endpoint data.
Lateral movement, discovery.
An endpoint is performing an unusually large number of successful connections to susceptible ports on one or more remote endpoints. Susceptible ports are ports used by servers that might be used by attackers for a number of malicious reasons.
The detector assumes normal users do not initiate a large number of connections to specific destinations on susceptible ports, and that a large number of users are not initiating multiple sessions to those ports on a routine basis.
This alert could indicate any of the following:
- An attacker is scraping data services for useful data; for example, dumping an entire database or Active Directory.
- The attacker might be seeking authentication credentials using a brute force username and password attack against the service.
- The attacker might be using fuzz testing to look for vulnerabilities on the remote endpoint. Fuzz testing sends unexpected, invalid, and/or random data to software. In this context, the attacker is likely using the fuzzer in an attempt to discover buffer overflow vulnerabilities in the server.
- Examine Alert DetailsOverview to identify the source endpoint, process running the scan, and process owner, to determine who or what is performing the network activity.
- Examine the endpoint profile to identify the process that is being used for the suspicious connections.
Possible Cortex XDR – Analytics Alerts
All possible Cortex XDR – Analytics alerts grouped by attack category. ...
Failed DNS The Cortex XDR – Analytics Failed DNS alert indicates an endpoint is performing an unusually large number of failed DNS resolutions when compared to ...
Failed Connections The Cortex XDR – Analytics Failed Connections alert indicates that a endpoint has an abnormally high level of failed connections to other endpoints which ...
Port Scan The Cortex XDR – Analytics Port Scan alert indicates that an endpoint is scanning remote endpoints for open privileged ports. Synopsis Detection Frequency Every ...
Reverse Connection The Cortex XDR – Analytics Reverse Connection alert indicates that an endpoint is performing successive connections in a manner that exceeds baseline expectations for ...
Large Upload SMTP
Large Upload (SMTP) The Cortex XDR – Analytics Large Upload (SMTP) alert indicates that an endpoint is emailing an excessive amount of data from your network. ...
Consecutive Connections The Cortex XDR – Analytics Consecutive Connects alert indicates that the app detected multiple connections between endpoints, which is unusual behavior. Synopsis Detection Frequency ...
Random Looking DNS
Random Looking DNS The Cortex XDR – Analytics Random Looking DNS alert indicates an endpoint is performing DNS lookups to a large number of unique, apparently ...