Recurring Rare IP Access

Recurring Rare IP Access
Analytics alert indicates an endpoint is repeatedly connecting to an external endpoint IP address in a way that suggests connections to a command-and-control server.


1 day
21 days
21 days
21 days
Any of the following:
  • Palo Alto Networks firewall traffic logs
  • Check Point firewall traffic logs
  • Cisco firewall traffic logs
  • Fortinet firewall traffic logs
  • Cortex XDR agent endpoint data
Varies by activity (High, Medium, or Low).


An endpoint is periodically accessing an external endpoint IP address in a way that is suggestive of command and control activity. Analysis of the connection pattern shows that it is consistent with malicious code (such as malware) connecting to its command-and-control server for updates and operating instructions. Access to this IP address has occurred repeatedly over many days, and other endpoints in your network rarely access this IP address.
Cortex XDR Analytics has considered the usage of the IP address and determined that the traffic is unusual enough to warrant this alert.
If, after investigating this alert, you determine that the IP address identified by this alert is used for command-and-control activity, consider adding the IP address to the Analytics External Dynamic List.

Attacker's Goals

Communicate with malicious code running on your network for the purpose of enabling further access to the endpoint and network, performing software updates on the endpoint, or for taking inventory of infected machines.

Investigative Actions

  • Identify if the IP address belongs to a reputable organization or an asset used in a public cloud.
  • Identify if the source of the traffic is malware. If the source of the traffic is a malicious file, Cortex XDR Analytics also raises a malware alert for the file on the endpoint. Malware may contact legitimate IP addresses, therefore check for unusual apps used, or unusual ports or volumes accessed.
  • View all related traffic generated by the suspicious process to understand the purpose.
  • Look for other endpoints on your network that are also contacting the suspicious IP address.
  • Examine file-system operations performed by the process to look for potential artifacts on infected endpoints.

Recommended For You