Abnormal RPC traffic to multiple hosts

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-06-24

Activation Period	14 Days
Training Period	30 Days
Test Period	1 Hour
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: Palo Alto Networks Platform Logs OR XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules
Detector Tags
ATT&CK Tactic	Reconnaissance (TA0043)
ATT&CK Technique	Active Scanning (T1595) Active Scanning: Vulnerability Scanning (T1595.002)
Severity	Low

The endpoint performed unfamiliar RPC activity to multiple hosts.

An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.

Check if the host is a newly deployed server that provides RPC based services to multiple hosts.
Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

The endpoint performed unfamiliar RPC activity to multiple hosts.

An adversary may enumerate different protocols to gain information and plan its lateral movement over the network.

Check if the host is a newly deployed server that provides RPC based services to multiple hosts.
Verify the legitimacy of the actor process (and its causality) that initiated this RPC traffic.