Abnormal communication with a rare combination of TLS and HTTP User Agent

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-01-14
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

Abnormal communication with a rare combination of TLS and HTTP User Agent to an external address.

Attacker's Goals

Data exfiltration, attack tool staging or command and control channel through a trusted service.

Investigative actions

  • Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server.
  • Examine the parent process of this application.
  • Check for anomalies at the time when the communication occurred.
  • Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.

Variations

Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

Abnormal communication with a rare combination of TLS and HTTP User Agent to an instant messaging server.

Attacker's Goals

Data exfiltration, attack tool staging or command and control channel through a trusted service.

Investigative actions

  • Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server.
  • Examine the parent process of this application.
  • Check for anomalies at the time when the communication occurred.
  • Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.


Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

Abnormal communication with a rare combination of TLS and HTTP User Agent to a globally rare domain.

Attacker's Goals

Data exfiltration, attack tool staging or command and control channel through a trusted service.

Investigative actions

  • Examine the legitimacy of the application that produced this rare TLS fingerprint with the external server.
  • Examine the parent process of this application.
  • Check for anomalies at the time when the communication occurred.
  • Verify if the outbound communication is being routed through a legitimate HTTP tunneling solution.