New Administrative Behavior

The Cortex XDR – Analytics New Administrative Behavior alert indicates that an endpoint is performing administrative network activities, but the endpoint historically does not perform these activities.

Synopsis

Every 10 minutes.
14 days.
21 days.
Between 10 minutes and 1 day (from 00:00:00 UTC until now).
Traffic logs or Traps endpoint data.
Lateral movement.

Description

An endpoint is engaging in network activities that are attributable to administrative functions. However, the endpoint historically does not engage in these administrative activities. In raising this alert, Cortex XDR – Analytics considers the network protocols being used to support the administrative activity.
It is possible that an endpoint will infrequently be used for administrative activities, so Cortex XDR – Analytics performs the baseline evaluation using logs collected over a long period of time. Cortex XDR – Analytics also evaluates the activity compared to what other endpoints are doing. That is, if many endpoints are contacting the same destination with the same activity, then the network activity is less likely to result in this alert.
Cortex XDR – Analytics assumes ordinary users perform little or no administrative actions. Cortex XDR – Analytics also assumes that IT personnel and scanners will have specific roles that result in limited, narrowly-defined administrative activities. Under some circumstances (for example, small networks), these assumptions might not be valid. In that case, some manual intervention on your part may be required to avoid false positives (described in Investigative Actions, below).

Attacker's Goals

An attacker is using administrative functions to move from one endpoint to another, or to scan the network for new endpoints to attack.

Investigative Actions

  • Investigate the endpoint to determine if it is legitimately being used for administrative functions.

Related Documentation