A non-SMTP server is connecting
to an excessive number of external endpoints. The detector looks
for SMTP connections to external endpoints, but the volume of traffic
is not considered. A count is performed based on the number of domains
to which the non-SMTP process is connecting, as well as the number
of unresolved IP addresses the process is using.
the source is not an SMTP server. If Cortex XDR Analytics has failed
to identify the process as a valid SMTP server, this alert will
be a false positive.
Verify that IP addresses are actually not being resolved
by the non-SMTP process. If the process is performing DNS resolution
with a DNS service outside of your network, it is possible (depending
on your network topology) that Cortex XDR Analytics will not observe
that traffic. Because SMTP services typically use a large number
of IP addresses, this situation could cause a process to exceed
a limit when it would otherwise fail to do so.
If the SMTP connection activity proves to be the result of
malicious file activity, search in the