New Administrative Behavior

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

12 Hours

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent
      OR
    • Third-Party Firewalls

Detection Modules

Detector Tags

NDR Lateral Movement Analytics

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services (T1021)

Severity

Medium

Description

The endpoint performed new administrative actions, relative to its previously profiled behavior. It is possible that an endpoint will infrequently be used for administrative activities, so analytics is performed using logs collected over a long period of time, also comparing the activity to that of other endpoints. That is, if many endpoints are contacting the same destination with the same administrative activity, then this network activity is less likely to result in this alert.

An attacker may be operating on the host, probing other computers and moving laterally inside the network using a trusted computer and credentials. Attackers typically exhibit administrative behaviors when performing reconnaissance and lateral movement.

Attacker's Goals

An attacker is using administrative functions to move from one endpoint to another, or to scan the network for new endpoints to attack.

Investigative actions

Investigate the endpoint to determine if it is legitimately being used for administrative functions.

Variations

New SSH Administrative Behavior

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services (T1021)

Severity

Informational

Description

The endpoint performed new SSH administrative actions, relative to its previously profiled behavior. It is possible that an endpoint will infrequently be used for administrative activities, so analytics is performed using logs collected over a long period of time, also comparing the activity to that of other endpoints. That is, if many endpoints are contacting the same destination with the same administrative activity, then this network activity is less likely to result in this alert.

An attacker may be operating on the host, probing other computers and moving laterally inside the network using a trusted computer and credentials. Attackers typically exhibit administrative behaviors when performing reconnaissance and lateral movement.

Attacker's Goals

An attacker is using administrative functions to move from one endpoint to another, or to scan the network for new endpoints to attack.

Investigative actions

Investigate the endpoint to determine if it is legitimately being used for administrative functions.