Script Connecting to Rare External Host
The Cortex XDR – Analytics Script Connecting to Rare External Host alert indicates a Windows Script Host (wscript.exe, cscript.exe, powershell.exe) connecting to an external host.
Threat and Enhanced Application logs.
Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.
Recurring Rare Domain Access
Recurring Rare Domain Access The Cortex XDR – Analytics Recurring Rare Domain Access alert indicates an endpoint is connecting repeatedly to an external domain in a ...
Recurring Rare IP Access
Recurring Rare IP Access The Recurring Rare IP Access alert indicates an endpoint is repeatedly connecting to an external endpoint IP address in a way ...
scrons.exe Rare Child Process
scrons.exe Rare Child Process The Cortex XDR – Analytics scrons.exe Rare Child Process alert indicates a scrons.exe spawned a child process, which may indicate remote ...
wsmprovhost.exe Rare Child Process
wsmprovhost.exe Rare Child Process The Cortex XDR – Analytics wsmprovhost.exe Rare Child Process alert indicates a remote WMI command executed a binary proxy, wsmprovhost.exe, which ...
Possible Cortex XDR – Analytics Alerts
All possible Cortex XDR – Analytics alerts grouped by attack category. ...
New Features May 2019
New Features: May 2019 Feature Description Mobile Endpoint Coverage through GlobalProtect and GlobalProtect Cloud Service The Cortex XDR™ – Analytics app can now detect threats ...
wmiprsve.exe Rare Child Process
wmiprsve.exe Rare Child Process The Cortex XDR – Analytics wmiprsve.exe Rare Child Process alert indicates a remote WMI command executed a binary proxy, wmiprvse.exe, which ...
SpamBot Traffic The Cortex XDR – Analytics SpamBot Traffic alert indicates that a non-SMTP server is connecting to an excessive number of external endpoints. Synopsis Detection ...
Cortex XDR – Analytics Alert Reference
Cortex XDR – Analytics Alert reference includes symptoms of the alert, how the symptoms are detected, and what should be done about the alert. ...