Recurring Rare IP Access

The Recurring Rare IP Access alert indicates an endpoint is repeatedly connecting to an external endpoint IP address in a way that suggests connections to a command-and-control server.

Synopsis

1 day.
21 days.
21 days.
21 days.
Threat, Traffic, Enhanced Application logs, or Traps endpoint data.
Command and control.

Description

An endpoint is periodically accessing an external endpoint IP address in a way that is suggestive of command and control activity. Analysis of the connection pattern shows that it is consistent with malicious code (such as malware) connecting to its command-and-control server for updates and operating instructions. Access to this IP address has occurred repeatedly over many days, and other endpoints in your network rarely access this IP address.
Cortex XDR – Analytics has considered the usage of the IP address and determined that the traffic is unusual enough to warrant this alert.
If, after investigating this alert, you determine that the IP address identified by this alert is used for command-and-control activity, you should consider adding the IP address to the app Cortex XDR – Analytics Block Lists

Attacker's Goals

Communicate with malicious code running on your network for the purpose of enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.

Investigative Actions

  • Identify if the IP address belongs to a reputable organization or an asset used in a public cloud.
  • Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR – Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used, or unusual ports or volumes accessed.
  • View all related traffic generated by the suspicious process to understand the purpose.
  • Look for other endpoints on your network that are also contacting the suspicious IP address.
  • Examine file-system operations performed by the process to look for potential artifacts on infected endpoints.

Related Documentation