Script Connecting to Rare External Host

The Cortex XDR – Analytics Script Connecting to Rare External Host alert indicates a Windows Script Host (wscript.exe, cscript.exe, powershell.exe) connecting to an external host.


1 day.
3 days.
14 days.
Threat and Enhanced Application logs.


Scripts connecting to external IP addresses may be sanctioned IT scripts. However, when those external IP addresses are only receiving connections from a few specific endpoints in the organization, these scripts may be an indicator of more suspicious activity. Security testers and adversaries use offensive frameworks that employ forms of scripting which result in this type of network activity.

Related Documentation