An endpoint is scanning privileged
endpoints (lower than 1024). The ports that the endpoint is scanning
are infrequently used by other endpoints (destinations that are
normally used by many other endpoints will not raise this alert).
Also, the traffic is not related to FTP or DCE/RPC.
activity exceeds the baseline average number of port connections
for endpoints of this type.
An attacker is determining
which ports are open or closed on remote endpoints in an attempt
to identify the endpoint operating system, firewall configuration,
and exploitable services.
that use multiple ports can cause a false positive. Ensure that
the endpoint is not new on the network, and is not hosting services
such as FTP servers or domain controllers that are being contacted
for the first time.
Check if the activity is a SYN-ACK scan. These might result
in Cortex XDR Analytics detecting the scan as coming from
the wrong direction, and could mean that Cortex XDR Analytics
used the wrong baseline in triggering the alert.
Check for port map and/or X11 usage. These usually open multiple
ports. If the protocol usage for the specific destination is sparse,
Cortex XDR Analytics could raise a false alert.