An endpoint is periodically
accessing an external domain that is rarely used by the endpoint,
or by other endpoint in its peer group. The access to this domain
has occurred repeatedly, over many days. Analysis of the connection
pattern shows that it is consistent with malware connecting to its
command and control server for updates and operating instructions.
XDR has considered the usage of the domain by both your organization
and by the identified endpoint, and Cortex XDR has determined that
the traffic is unusual enough to warrant this alert.
If, after investigating this alert, you determine
that the domain identified by this alert is in fact used for the purposes
of malware command and control, you should consider adding the domain
to the Analytics External Dynamic List
Communicate with malware
running on your network for the purpose of controlling malware activities,
performing software updates on the malware, or for taking inventory
of infected machines.
the process/user contacting the remote domain and determine whether
the traffic is malicious.
Look for other endpoints on your network that are also periodically
contacting the suspicious domain.