A commonly abused process connected to a rare external host

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-01-04

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags	EDR Windows C2 Analytics
ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Application Layer Protocol: Web Protocols (T1071.001)
Severity	Low

A commonly abused process connected to a rare external host.

Communicate with the attacker's Command and Control (C2) infrastructure.

ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Application Layer Protocol: Web Protocols (T1071.001)
Severity	Medium

A commonly abused renamed process connected to a rare external host.

Communicate with the attacker's Command and Control (C2) infrastructure.

ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Application Layer Protocol: Web Protocols (T1071.001)
Severity	Low

A commonly abused process connected to a globally rare external host.

Communicate with the attacker's Command and Control (C2) infrastructure.

ATT&CK Tactic	Command and Control (TA0011)
ATT&CK Technique	Application Layer Protocol: Web Protocols (T1071.001)
Severity	Low

A commonly abused rare process connected to a rare external host.

Communicate with the attacker's Command and Control (C2) infrastructure.