The Cortex XDR – Analytics Port Scan alert indicates that an endpoint is scanning remote endpoints for open privileged ports.
Every 10 minutes.
Traffic logs or Traps endpoint data.
An endpoint is scanning privileged endpoints (lower than 1024). The ports that the endpoint is scanning are infrequently used by other endpoints (destinations that are normally used by many other endpoints will not raise this alert). Also, the traffic is not related to FTP or DCE/RPC.
The scanning activity exceeds the baseline average number of port connections for endpoints of this type.
An attacker is determining which ports are open or closed on remote endpoints in an attempt to identify the endpoint operating system, firewall configuration, and exploitable services.
- New endpoints that use multiple ports can cause a false positive. Ensure that the endpoint is not new on the network, and is not hosting services such as FTP servers or domain controllers that are being contacted for the first time.
- Check if the activity is a SYN-ACK scan. These might result in Cortex XDR – Analytics detecting the scan as coming from the wrong direction, and could mean that Cortex XDR – Analytics used the wrong baseline in triggering the alert.
- Check for port map and/or X11 usage. These usually open multiple ports. If the protocol usage for the specific destination is sparse, Cortex XDR – Analytics could raise a false alert.
New Administrative Behavior
New Administrative Behavior The Cortex XDR – Analytics New Administrative Behavior alert indicates that an endpoint is performing administrative network activities, but the endpoint historically does ...
SMB/KRB Traffic from Non-Standard Process
SMB/KRB Traffic from Non-Standard Process The Cortex XDR – Analytics SMB/KRB Traffic from Non-Standard Process alert indicates that a non-standard process has initiated traffic from ports ...
Cortex XDR – Analytics Detectors
Cortex XDR – Analytics detectors are algorithms that examine logs, create baselines, and raise alerts as needed. ...
Failed Connections The Cortex XDR – Analytics Failed Connections alert indicates that a endpoint has an abnormally high level of failed connections to other endpoints which ...
Reverse Connection The Cortex XDR – Analytics Reverse Connection alert indicates that an endpoint is performing successive connections in a manner that exceeds baseline expectations for ...
Tunneling Process The Cortex XDR – Analytics Tunneling Process alert indicates a endpoint has open internal ports at the same time it is communicating with a ...
Cortex XDR – Analytics Log Formats
Cortex XDR – Analytics Log Format Cortex XDR™ – Analytics logs its alerts to the Cortex Data Lake as Magnifier alert logs. When Magnifier alert logs ...
Large Upload FTP
Large Upload (FTP) The Cortex XDR – Analytics Large Upload (FTP) alert indicates that a non-FTP server process is transferring an excessive amount of data. Synopsis ...
Recurring Rare IP Access
Recurring Rare IP Access The Recurring Rare IP Access alert indicates an endpoint is repeatedly connecting to an external endpoint IP address in a way ...