Rare process created an SSH session to an uncommon external host

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-01-14
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent
      OR
    • Third-Party Firewalls

Detection Modules

Detector Tags

EDR Windows C2 Analytics

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Low

Description

Rare process created an SSH session to an uncommon external host.

Attacker's Goals

Attackers may use SSH or any similar utility to as a Command and Control (C2) channel or to exfiltrate data to a remote host.

Investigative actions

  • Investigate the actor process and its causality.
  • Review the external IP/domain using known intelligence tools.
  • Search for processes or files that were accessed by this SSH instance.

Variations

Rare process created an SSH session to a domain with an uncommon TLD

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Medium

Description

Rare process created an SSH session to a domain with an uncommon TLD.

Attacker's Goals

Attackers may use SSH or any similar utility to as a Command and Control (C2) channel or to exfiltrate data to a remote host.

Investigative actions

  • Investigate the actor process and its causality.
  • Review the external IP/domain using known intelligence tools.
  • Search for processes or files that were accessed by this SSH instance.


Rare process created an SSH session to an globally uncommon external host

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Low

Description

Rare process created an SSH session to an globally uncommon external host.

Attacker's Goals

Attackers may use SSH or any similar utility to as a Command and Control (C2) channel or to exfiltrate data to a remote host.

Investigative actions

  • Investigate the actor process and its causality.
  • Review the external IP/domain using known intelligence tools.
  • Search for processes or files that were accessed by this SSH instance.


Rare process created an SSH session to an external host

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Application Layer Protocol (T1071)

Severity

Informational

Description

Rare process created an SSH session to an external host.

Attacker's Goals

Attackers may use SSH or any similar utility to as a Command and Control (C2) channel or to exfiltrate data to a remote host.

Investigative actions

  • Investigate the actor process and its causality.
  • Review the external IP/domain using known intelligence tools.
  • Search for processes or files that were accessed by this SSH instance.