Cortex XDR
-
Cortex XDR
Alert Name: Abnormal Recurring Communications to a Rare Domain With a Less Common Port
Alert id: ---
Severity: Low
Source: XDR Analytics BIOC
Category: Command and Control
Action: Detected
Description: The host [$host] was seen communicating to the external entity [$domain]. Communication between these entities was seen 13 times. This external entity is rare in the organization as only 4 hosts within the organization accessed it. This external entity is also rare globally. This external entity was accessed using 1 distinct ports. Based on our machine learning models, this connection was flagged as suspicioushint, it was SSH.
-
Cortex XDR
Alert Name: Abnormal Recurring Communications to a Rare Domain With a Less Common Port
Alert id: ---
Severity: Low
Source: XDR Analytics BIOC
Category: Command and Control
Action: Detected
Description: The host [$host] was seen communicating to the external entity [$domain]. Communication between these entities was seen 13 times. This external entity is rare in the organization as only 4 hosts within the organization accessed it. This external entity is also rare globally. This external entity was accessed using 1 distinct ports. Based on our machine learning models, this connection was flagged as suspicioushint, it was SSH.
@kajer tbf that’s not an unreasonable reason to trigger an alert is it?
-
@kajer tbf that’s not an unreasonable reason to trigger an alert is it?
@cybeej it is when our whole org uses SSH and these alerts trigger every 30 days to known and internal DNS
We have attempted to exclude these from alerting, but Cortex keeps finding new, exciting, and vague ways to continue to throw alerts.
-
R relay@relay.infosec.exchange shared this topic
