Failed Connections

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Day

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent
      OR
    • Third-Party Firewalls

Detection Modules

Detector Tags

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Remote System Discovery (T1018)

Severity

Low

Description

The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.

Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.

An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.

Attacker's Goals

An attacker does not know your network and is exploring it for new or unknown subnets.

Investigative actions

  • Validate that the source is not a sanctioned port scanner.
  • Check for suspicious artifacts in the endpoint profile.

Variations

Failed Connections

Synopsis

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Remote System Discovery (T1018)

Severity

Informational

Description

The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.

Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.

An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.

Attacker's Goals

An attacker does not know your network and is exploring it for new or unknown subnets.

Investigative actions

  • Validate that the source is not a sanctioned port scanner.
  • Check for suspicious artifacts in the endpoint profile.


Failed Connections with a rare causality and actor processes relations

Synopsis

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Remote System Discovery (T1018)

Severity

Informational

Description

The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.

Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.

An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.
These failed connections originated from a rare relation between an actor process and its causality.

Attacker's Goals

An attacker does not know your network and is exploring it for new or unknown subnets.

Investigative actions

  • Validate that the source is not a sanctioned port scanner.
  • Check for suspicious artifacts in the endpoint profile.