An endpoint is engaging in
network activities that are attributable to administrative functions.
However, the endpoint historically does not engage in these administrative
activities. In raising this alert, Cortex XDR Analytics
considers the network protocols being used to support the administrative
It is possible that an endpoint will infrequently
be used for administrative activities, so Cortex XDR –
Analytics performs the baseline evaluation using logs collected
over a long period of time. Cortex XDR Analytics also
evaluates the activity compared to what other endpoints are doing.
That is, if many endpoints are contacting the same destination with
the same activity, then the network activity is less likely to result
in this alert.
Cortex XDR Analytics assumes ordinary
users perform little or no administrative actions. Cortex XDR –
Analytics also assumes that IT personnel and scanners will have
specific roles that result in limited, narrowly-defined administrative
activities. Under some circumstances (for example, small networks),
these assumptions might not be valid. In that case, some manual intervention
on your part may be required to avoid false positives (described
An attacker is using
administrative functions to move from one endpoint to another, or
to scan the network for new endpoints to attack.
endpoint to determine if it is legitimately being used for administrative