Recurring Rare IP Access
The Recurring Rare IP Access alert indicates an endpoint is repeatedly connecting to an external endpoint IP address in a way that suggests connections to a command-and-control server.
Threat, Traffic, Enhanced Application logs, or Traps endpoint data.
Command and control.
An endpoint is periodically accessing an external endpoint IP address in a way that is suggestive of command and control activity. Analysis of the connection pattern shows that it is consistent with malicious code (such as malware) connecting to its command-and-control server for updates and operating instructions. Access to this IP address has occurred repeatedly over many days, and other endpoints in your network rarely access this IP address.
Cortex XDR – Analytics has considered the usage of the IP address and determined that the traffic is unusual enough to warrant this alert.
If, after investigating this alert, you determine that the IP address identified by this alert is used for command-and-control activity, you should consider adding the IP address to the app Cortex XDR – Analytics Block Lists
Communicate with malicious code running on your network for the purpose of enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.
- Identify if the IP address belongs to a reputable organization or an asset used in a public cloud.
- Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR – Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used, or unusual ports or volumes accessed.
- View all related traffic generated by the suspicious process to understand the purpose.
- Look for other endpoints on your network that are also contacting the suspicious IP address.
- Examine file-system operations performed by the process to look for potential artifacts on infected endpoints.
Recurring Rare Domain Access
Recurring Rare Domain Access The Cortex XDR – Analytics Recurring Rare Domain Access alert indicates an endpoint is connecting repeatedly to an external domain in a ...
Cortex XDR – Analytics Command and Control Alerts
Cortex XDR – Analytics Command and Control alerts. ...
Possible Cortex XDR – Analytics Alerts
All possible Cortex XDR – Analytics alerts grouped by attack category. ...
New Features May 2019
New Features: May 2019 Feature Description Mobile Endpoint Coverage through GlobalProtect and GlobalProtect Cloud Service The Cortex XDR™ – Analytics app can now detect threats ...
Cortex XDR – Analytics Detectors
Cortex XDR – Analytics detectors are algorithms that examine logs, create baselines, and raise alerts as needed. ...
Get Started with Cortex XDR – Analytics
Cortex XDR – Analytics is a network security tool designed to automatically detect and report on malicious network intrusions. ...
Cortex XDR – Analytics Management
The management menu provides access to pages that let you manage whitelist rules, view the audit log, and give you visibility into Pathfinder scanning. ...
Tunneling Process The Cortex XDR – Analytics Tunneling Process alert indicates a endpoint has open internal ports at the same time it is communicating with a ...
Script Connecting to Rare External Host
Script Connecting to Rare External Host The Cortex XDR – Analytics Script Connecting to Rare External Host alert indicates a Windows Script Host (wscript.exe, cscript.exe, powershell.exe) ...