New Administrative Behavior
The Cortex XDR – Analytics New Administrative Behavior alert indicates that an endpoint is performing administrative network activities, but the endpoint historically does not perform these activities.
Every 10 minutes.
Between 10 minutes and 1 day (from 00:00:00 UTC until now).
Traffic logs or Traps endpoint data.
An endpoint is engaging in network activities that are attributable to administrative functions. However, the endpoint historically does not engage in these administrative activities. In raising this alert, Cortex XDR – Analytics considers the network protocols being used to support the administrative activity.
It is possible that an endpoint will infrequently be used for administrative activities, so Cortex XDR – Analytics performs the baseline evaluation using logs collected over a long period of time. Cortex XDR – Analytics also evaluates the activity compared to what other endpoints are doing. That is, if many endpoints are contacting the same destination with the same activity, then the network activity is less likely to result in this alert.
Cortex XDR – Analytics assumes ordinary users perform little or no administrative actions. Cortex XDR – Analytics also assumes that IT personnel and scanners will have specific roles that result in limited, narrowly-defined administrative activities. Under some circumstances (for example, small networks), these assumptions might not be valid. In that case, some manual intervention on your part may be required to avoid false positives (described in Investigative Actions, below).
An attacker is using administrative functions to move from one endpoint to another, or to scan the network for new endpoints to attack.
- Investigate the endpoint to determine if it is legitimately being used for administrative functions.
Remote Command Execution
Remote Command Execution The Cortex XDR – Analytics Remote Command Execution alert indicates that an account is performing remote command execution from a endpoint that historically ...
Large Upload Generic
Large Upload (Generic) The Cortex XDR – Analytics Large Upload (Generic) alert indicates that an endpoint is transferring an excessive amount of data to an external ...
Recurring Rare Domain Access
Recurring Rare Domain Access The Cortex XDR – Analytics Recurring Rare Domain Access alert indicates an endpoint is connecting repeatedly to an external domain in a ...
Failed Connections The Cortex XDR – Analytics Failed Connections alert indicates that a endpoint has an abnormally high level of failed connections to other endpoints which ...
Port Scan The Cortex XDR – Analytics Port Scan alert indicates that an endpoint is scanning remote endpoints for open privileged ports. Synopsis Detection Frequency Every ...
Cortex XDR – Analytics Host Search
The Cortex XDR – Analytics host search allows you to quickly locate details about hosts that Cortex XDR – Analytics has analyzed. ...
Tunneling Process The Cortex XDR – Analytics Tunneling Process alert indicates a endpoint has open internal ports at the same time it is communicating with a ...
Investigate Cortex XDR – Analytics alerts to understand the source and reason for the alert, so you can decide what to do about the alert. ...
Cortex XDR – Analytics Alerts
PANW Cortex XDR – Analytics raises security alerts based on host and user activity that is markedly outside of the measured norm. ...