An endpoint is transferring
an excessive amount of data to an external site using a protocol
other than HTTP/s, FTP, or SMTP. (A specific detector is used for
each of those protocols.) Cortex XDR Analytics assumes
data transfers out of your network is ordinarily performed using
one of those three services, so it expects that data transfers over
all other ports to be low. For the same reason, Cortex XDR –
Analytics also assumes endpoint traffic towards a specific destination
should be about the same over long periods of time.
Transfer data he has
stolen from your network to a location that is convenient and useful
the traffic is caused by SSH as activity over that protocol can
trigger this alert. It is possible that someone on your network
is legitimately engaged in SSH activity.
Check if the traffic is to/from a misconfigured network.
Check if the traffic is to a new external service or server
that has recently been adopted for use by an organization in your
Identify the process/user performing the data transfer to
determine if the transfer is sanctioned.