Possible Cortex XDR – Analytics Alerts

All possible Cortex XDR – Analytics alerts grouped by attack category.
Cortex XDR – Analytics alerts are categorized by individual steps in the attack lifecycle.
The alerts you see in Cortex XDR – Analytics depend on the log sources you set up. For example if you use Traps as the only data source, the app raises only the alerts it can detect from Traps data.
The alerts the app can raise are:
AlertFirewall Traffic LogsFirewall EAL LogsGlobalProtect and GlobalProtect Cloud Service DataTraps Endpoint Data
Execution
Grayware
The Cortex XDR™ – Analytics app identified a suspicious file based on network traffic that the file is generating, threat intelligence, or prevalence of the file across endpoints on your network, or based on endpoint activity provided by Traps. Automated investigation of the file by WildFire identified the file as grayware.
check-mark.png
check-mark.png
check-mark.png
Malware
The app has identified a suspicious file on an endpoint in the network based on threat intelligence, based on the file generating suspicious network traffic, or endpoint activity logged by Traps. Automated investigation of the file by WildFire identified the file as malware.
check-mark.png
check-mark.png
check-mark.png
Script Connecting to Rare External Host
The app identified a Windows Script Host (wscript.exe, cscript.exe, powershell.exe) connecting to an uncommon external endpoint.
check-mark.png
check-mark.png
scrons.exe Rare Child Process
The app identified that scrons.exe spawned a child process on an endpoint, which may indicate remote code execution abuse by an attacker.
check-mark.png
SpamBot Traffic
A non-SMTP-based device that appears to be sending SPAM.
check-mark.png
check-mark.png
check-mark.png
check-mark.png
Uncommon Remote Scheduled Task Creation via schtasks.exe
The app identified the uncommon scheduling of a task on a remote endpoint.
check-mark.png
Uncommon Remote Service Start via sc.exe
The app identified that the Service Control (sc.exe) command was used to start a remote service.
check-mark.png
Persistence
Uncommon Local Scheduled Task Creation via schtasks.exe
The app detected an uncommon locally scheduled task on an endpoint.
check-mark.png
Uncommon Net User
The app detected that the net user command was executed on an endpoint.
check-mark.png
Uncommon Net User
The app detected that the net user command was executed on an endpoint.
check-mark.png
Discovery
Failed Connections
The Cortex XDR – Analytics app detected a endpoint which is generating an abnormally high level of failed connections to other endpoints that have been inactive for a long time or that were never on the network to begin with.
check-mark.png
check-mark.png
Increases accuracy
check-mark.png
check-mark.png
High Connection Rate
The app has identified a number of successful connections to a susceptible port list at a rate that is unusual when compared to the baseline. This could be the consequence of an attacker scraping a endpoint for data or attempting a brute force user and password combination attack.
check-mark.png
check-mark.png
check-mark.png
Port Scan
The app detected port-scanning activity, the amount of which exceeds the baseline for that endpoint and endpoint type.
check-mark.png
check-mark.png
check-mark.png
Uncommon ARP Cache Listing via arp.exe
The app detected an uncommon listing of the ARP cache through the arp.exe command on an endpoint.
check-mark.png
Uncommon IP Configuration Listing via ipconfig.exe
The app detected that the ipconfig command was used on an endpoint to list the IP address configuration for all devices to determine network configuration details.
check-mark.png
Uncommon Routing Table Listing via route.exe
The app detected the route.exe command was used to display or modify the local IP address routing table.
check-mark.png
Uncommon Net Group Execution
The detected that the net group command was used on an endpoint the command is not commonly used on.
check-mark.png
Uncommon net localgroup Execution
The app detected that the net localgroup command was used on an endpoint.
check-mark.png
Uncommon Net User
The app detected that the net user command was executed on an endpoint.
check-mark.png
Lateral Movement
Consecutive Connections
The Cortex XDR™ – Analytics app detected multiple suspicious consecutive connections between two endpoints. It could be that the connections are being used by one endpoint to control the other.
check-mark.png
check-mark.png
Increases accuracy
check-mark.png
check-mark.png
High Connection Rate
The app has identified a number of successful connections to a susceptible port list at a rate that is unusual when compared to the baseline. This could be the consequence of an attacker scraping an endpoint for data or attempting a brute force user and password combination attack.
This alert can also be related to a discovery attack tactic of your network.
check-mark.png
check-mark.png
check-mark.png
New Administrative Behavior
The app detected administrative activities from a endpoint that does not usually engage in that behavior, which typically means that an attacker is trying to move laterally across the network.
This alert can also be related to an attacker's reconnaissance of your network.
check-mark.png
check-mark.png
Increases accuracy
check-mark.png
check-mark.png
(Limited)
Remote Command Execution
The app detected an account using remote command execution from a endpoint which historically does not perform that activity.
check-mark.png
check-mark.png
Increases accuracy
check-mark.png
Reverse Connection
The app detected overlapping connections (two or more connections that occur close together in time) of a nature that suggests a reverse shell might have been created; these connections are not related to legitimate network services.
check-mark.png
check-mark.png
check-mark.png
check-mark.png
SMB/KRB Traffic from Non-Standard Process
The app detected a process that is connecting over ports normally used by SMB or Kerberos. Either the process is using a custom protocol implementation or is not using the expected protocol.
check-mark.png
check-mark.png
check-mark.png
wmiprsve.exe Rare Child Process
The app detected a remote WMI command executed a binary proxy, wmiprvse.exe, which executed a rare child process.
check-mark.png
wsmprovhost.exe Rare Child Process
The app detected a remote WMI command executed a binary proxy, wsmprovhost.exe, which executed a rare child process.
check-mark.png
Command and Control Alerts
DNS Tunneling
The Cortex XDR™ – Analytics app detected an endpoint sending and receiving anomalous DNS queries and responses.
check-mark.png
check-mark.png
check-mark.png
Failed DNS
The app detected an endpoint that is performing an unusually large number of failed DNS resolutions when compared to its peer group.
check-mark.png
check-mark.png
check-mark.png
Random Looking DNS
The app has detected an endpoint that is performing DNS lookups to a large number of unique and apparently random root domain names.
check-mark.png
check-mark.png
check-mark.png
Recurring Rare Domain Access
The app has detected an endpoint that is connecting repeatedly to an external domain in a way that suggests the remote domain is performing malware command and control activity.
check-mark.png
check-mark.png
check-mark.png
Recurring Rare IP Access
The app has detected an endpoint that is connecting repeatedly to an external IP address in a way that suggests the remote endpoint is performing malware command and control activity.
check-mark.png
check-mark.png
check-mark.png
check-mark.png
Tunneling Process
The app detected an endpoint that has open internal ports at the same time that it is communicating with a destination on the internet.
check-mark.png
check-mark.png
Exfiltration
DNS Tunneling
The Cortex XDR™ – Analytics app detected an endpoint sending and receiving anomalous DNS queries and responses.
check-mark.png
check-mark.png
check-mark.png
Large Upload (FTP)
The Cortex XDR™ – Analytics app detected excessively large data transfers over FTP from a source that is not an FTP server.
check-mark.png
check-mark.png
Increases accuracy
check-mark.png
Large Upload (Generic)
The app detected abnormally large data traffic to an external destination. The traffic is generic in that it is not HTTP(s), FTP, or SMTP.
check-mark.png
check-mark.png
Increases accuracy
check-mark.png
check-mark.png
Large Upload (HTTPS)
The app detected excessively large data transfers over HTTPS from a source that is not an HTTP server.
check-mark.png
check-mark.png
check-mark.png
Large Upload (SMTP)
The app detected abnormally large data transfers over SMTP, compared to historical traffic amounts for machines of this type.
check-mark.png
check-mark.png
Increases accuracy
check-mark.png

Related Documentation