New Administrative Behavior

The
New Administrative Behavior
Analytics alert indicates that an endpoint is performing administrative network activities, but the endpoint historically does not perform these activities.

Synopsis

Every 10 minutes
14 days
21 days
Between 10 minutes and 1 day (from 00:00:00 UTC until now)
Any of the following:
  • Palo Alto Networks firewall traffic logs
  • Check Point firewall traffic logs—SSH only
  • Cisco firewall traffic logs—SSH only
  • Fortinet firewall traffic logs—SSH only
  • Cortex XDR agent endpoint data
Severity
Varies by activity (High, Medium, or Low).

Description

An endpoint is engaging in network activities that are attributable to administrative functions. However, the endpoint historically does not engage in these administrative activities. In raising this alert, Cortex XDR Analytics considers the network protocols being used to support the administrative activity.
It is possible that an endpoint will infrequently be used for administrative activities, so Cortex XDR – Analytics performs the baseline evaluation using logs collected over a long period of time. Cortex XDR Analytics also evaluates the activity compared to what other endpoints are doing. That is, if many endpoints are contacting the same destination with the same activity, then the network activity is less likely to result in this alert.
Cortex XDR Analytics assumes ordinary users perform little or no administrative actions. Cortex XDR – Analytics also assumes that IT personnel and scanners will have specific roles that result in limited, narrowly-defined administrative activities. Under some circumstances (for example, small networks), these assumptions might not be valid. In that case, some manual intervention on your part may be required to avoid false positives (described in
Investigative Actions
, below).

Attacker's Goals

An attacker is using administrative functions to move from one endpoint to another, or to scan the network for new endpoints to attack.

Investigative Actions

Investigate the endpoint to determine if it is legitimately being used for administrative functions.

Recommended For You