Recurring Rare Domain Access

The Cortex XDR – Analytics Recurring Rare Domain Access alert indicates an endpoint is connecting repeatedly to an external domain in a way that suggests the remote domain is performing malware command and control.

Synopsis

1 day.
14 days.
14 days.
14 days.
Threat and Enhanced Application logs.
Command and control.

Description

An endpoint is periodically accessing an external domain that is rarely used by the endpoint, or by other endpoint in its peer group. The access to this domain has occurred repeatedly, over many days. Analysis of the connection pattern shows that it is consistent with malware connecting to its command and control server for updates and operating instructions.
Cortex XDR – Analytics has considered the usage of the domain by both your organization and by the identified endpoint, and Cortex XDR – Analytics has determined that the traffic is unusual enough to warrant this alert.
If, after investigating this alert, you determine that the domain identified by this alert is in fact used for the purposes of malware command and control, you should consider adding the domain to the Cortex XDR – Analytics block list.

Attacker's Goals

Communicate with malware running on your network for the purpose of controlling malware activities, performing software updates on the malware, or for taking inventory of infected machines.

Investigative Actions

  • Identify the process/user contacting the remote domain and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also periodically contacting the suspicious domain.

Related Documentation