Recurring Rare Domain Access
The Cortex XDR – Analytics Recurring Rare Domain Access alert indicates an endpoint is connecting repeatedly to an external domain in a way that suggests the remote domain is performing malware command and control.
Threat and Enhanced Application logs.
Command and control.
An endpoint is periodically accessing an external domain that is rarely used by the endpoint, or by other endpoint in its peer group. The access to this domain has occurred repeatedly, over many days. Analysis of the connection pattern shows that it is consistent with malware connecting to its command and control server for updates and operating instructions.
Cortex XDR – Analytics has considered the usage of the domain by both your organization and by the identified endpoint, and Cortex XDR – Analytics has determined that the traffic is unusual enough to warrant this alert.
If, after investigating this alert, you determine that the domain identified by this alert is in fact used for the purposes of malware command and control, you should consider adding the domain to the Cortex XDR – Analytics block list.
Communicate with malware running on your network for the purpose of controlling malware activities, performing software updates on the malware, or for taking inventory of infected machines.
- Identify the process/user contacting the remote domain and determine whether the traffic is malicious.
- Look for other endpoints on your network that are also periodically contacting the suspicious domain.
Recurring Rare IP Access
Recurring Rare IP Access The Recurring Rare IP Access alert indicates an endpoint is repeatedly connecting to an external endpoint IP address in a way ...
Cortex XDR – Analytics Command and Control Alerts
Cortex XDR – Analytics Command and Control alerts. ...
Random Looking DNS
Random Looking DNS The Cortex XDR – Analytics Random Looking DNS alert indicates an endpoint is performing DNS lookups to a large number of unique, apparently ...
Failed DNS The Cortex XDR – Analytics Failed DNS alert indicates an endpoint is performing an unusually large number of failed DNS resolutions when compared to ...
Possible Cortex XDR – Analytics Alerts
All possible Cortex XDR – Analytics alerts grouped by attack category. ...
Cortex XDR – Analytics Alert Reference
Cortex XDR – Analytics Alert reference includes symptoms of the alert, how the symptoms are detected, and what should be done about the alert. ...
Reverse Connection The Cortex XDR – Analytics Reverse Connection alert indicates that an endpoint is performing successive connections in a manner that exceeds baseline expectations for ...
Tunneling Process The Cortex XDR – Analytics Tunneling Process alert indicates an endpoint has open internal ports at the same time it is communicating with a ...
DNS Tunneling The Cortex XDR – Analytics DNS Tunneling alert indicates an endpoint sending and receiving DNS queries and responses in a way that suggests connections ...