<![CDATA[Cortex XDR]]>Cortex XDR

Alert Name: Abnormal Recurring Communications to a Rare Domain With a Less Common Port
Alert id: ---
Severity: Low
Source: XDR Analytics BIOC
Category: Command and Control
Action: Detected
Description: The host [$host] was seen communicating to the external entity [$domain]. Communication between these entities was seen 13 times. This external entity is rare in the organization as only 4 hosts within the organization accessed it. This external entity is also rare globally. This external entity was accessed using 1 distinct ports. Based on our machine learning models, this connection was flagged as suspicious

hint, it was SSH.

]]>https://board.circlewithadot.net/topic/8e94861d-c2e9-481c-85ec-579bc4f9688f/cortex-xdrRSS for NodeFri, 15 May 2026 06:53:07 GMTFri, 24 Apr 2026 20:16:06 GMT60<![CDATA[Reply to Cortex XDR on Sat, 25 Apr 2026 17:41:09 GMT]]>@cybeej it is when our whole org uses SSH and these alerts trigger every 30 days to known and internal DNS

We have attempted to exclude these from alerting, but Cortex keeps finding new, exciting, and vague ways to continue to throw alerts.

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/kajer/statuses/116466572982885758https://board.circlewithadot.net/post/https://infosec.exchange/users/kajer/statuses/116466572982885758Sat, 25 Apr 2026 17:41:09 GMT<![CDATA[Reply to Cortex XDR on Sat, 25 Apr 2026 04:27:45 GMT]]>@kajer tbf that’s not an unreasonable reason to trigger an alert is it?

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/cybeej/statuses/116463453192766697https://board.circlewithadot.net/post/https://infosec.exchange/users/cybeej/statuses/116463453192766697Sat, 25 Apr 2026 04:27:45 GMT