Failed Connections

Failed Connections
Analytics alert indicates that a endpoint has an abnormally high level of failed connections to other endpoints which have been inactive for a long time, or that have never been seen on the network.


Every 10 minutes
14 days
21 days
1 day
Any of the following:
  • Palo Alto Networks firewall traffic logs
  • Check Point firewall traffic logs
  • Cisco firewall traffic logs
  • Fortinet firewall traffic logs
  • Cortex XDR agent endpoint data
Varies by activity (High, Medium, or Low).


An endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.
It is possible that your network has legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.

Attacker's Goals

An attacker does not know your network and is exploring it for new or unknown subnets.

Investigative Actions

  • Validate that the source is not a sanctioned port scanner.
  • Check for suspicious artifacts in the endpoint profile.

Recommended For You