High Connection Rate

The
High Connection Rate
Analytics alert indicates that an endpoint is performing an unusually high number of successful connections to susceptible ports on a remote endpoint.

Synopsis

1 hour
10 days
14 days
1 day
Traffic logs or Cortex XDR agent endpoint data
Severity
Varies by activity (High, Medium, or Low).

Description

An endpoint is performing an unusually large number of successful connections to susceptible ports on one or more remote endpoints.
Susceptible ports
are ports used by servers that might be used by attackers for a number of malicious reasons.
The detector assumes normal users do not initiate a large number of connections to specific destinations on susceptible ports, and that a large number of users are not initiating multiple sessions to those ports on a routine basis.

Attacker's Goals

This alert could indicate any of the following:
  • An attacker is scraping data services for useful data.
  • The attacker might be seeking authentication credentials using a brute force username and password attack against the service.
  • The attacker might be using fuzz testing to look for vulnerabilities on the remote endpoint. Fuzz testing sends unexpected, invalid, and/or random data to software. In this context, the attacker is likely using the fuzzer in an attempt to discover buffer overflow vulnerabilities in the server.

Investigative Actions

  • Examine
    Alert Details
    Overview
    to identify the source endpoint, process running the scan, and process owner, to determine who or what is performing the network activity.
  • Examine the endpoint profile to identify the process that is being used for the suspicious connections.

Recommended For You