Recurring Rare Domain Access

Recurring Rare Domain Access
Analytics alert indicates an endpoint is connecting repeatedly to an external domain in a way that suggests the remote domain is performing malware command and control.


1 day
14 days
14 days
14 days
Threat and Enhanced Application logs
Varies by activity (High, Medium, or Low).


An endpoint is periodically accessing an external domain that is rarely used by the endpoint, or by other endpoint in its peer group. The access to this domain has occurred repeatedly, over many days. Analysis of the connection pattern shows that it is consistent with malware connecting to its command and control server for updates and operating instructions.
Cortex XDR has considered the usage of the domain by both your organization and by the identified endpoint, and Cortex XDR has determined that the traffic is unusual enough to warrant this alert.
If, after investigating this alert, you determine that the domain identified by this alert is in fact used for the purposes of malware command and control, you should consider adding the domain to the Analytics External Dynamic List

Attacker's Goals

Communicate with malware running on your network for the purpose of controlling malware activities, performing software updates on the malware, or for taking inventory of infected machines.

Investigative Actions

  • Identify the process/user contacting the remote domain and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also periodically contacting the suspicious domain.

Recommended For You