Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Day |
Deduplication Period |
1 Day |
Required Data |
- Requires one of the following data sources:
- Palo Alto Networks Platform Logs
OR - XDR Agent
OR - Third-Party Firewalls
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
Discovery (TA0007) |
ATT&CK Technique |
Remote System Discovery (T1018) |
Severity |
Low |
Description
The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.
Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.
An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.
Attacker's Goals
An attacker does not know your network and is exploring it for new or unknown subnets.
Investigative actions
- Validate that the source is not a sanctioned port scanner.
- Check for suspicious artifacts in the endpoint profile.
Variations
Failed Connections
Synopsis
Description
The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.
Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.
An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.
Attacker's Goals
An attacker does not know your network and is exploring it for new or unknown subnets.
Investigative actions
- Validate that the source is not a sanctioned port scanner.
- Check for suspicious artifacts in the endpoint profile.
Failed Connections with a rare causality and actor processes relations
Synopsis
Description
The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.
Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.
An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.
These failed connections originated from a rare relation between an actor process and its causality.
Attacker's Goals
An attacker does not know your network and is exploring it for new or unknown subnets.
Investigative actions
- Validate that the source is not a sanctioned port scanner.
- Check for suspicious artifacts in the endpoint profile.