XDR Analytics "Failed Connections" alert investigation

Daniel_Itenberg — Tue, 30 Nov 2021 12:56:09 GMT

Hi all, I am i need of assistance - how should I go about investigating an incident created by the "Failed Connections" alert?

I run malware scans on the host that raised the alarm, but what can I do beyond that?

I should also mention that whenever such an incident arises, it is not accompanied by a malware alert or anything of the sort.

Re: XDR Analytics "Failed Connections" alert investigation

bbarmanroy — Wed, 01 Dec 2021 02:16:50 GMT

Hi @Daniel_Itenberg

There are a couple of steps that I would suggest, my assumption being that the endpoint tried to connect to a malicious site.

1. Drill down into the alerts that are a part of the incident. Identify the sources and destinations, and the actions that led to the alert. If a malicious file is initiating the connections, you can block it, and retrieve it for further analysis in a sandboxed environment. Based on you analysis, you can proceed to remove the file/s based on your organizational processes. You can also proceed to investigate how the file came to be present in the host.

2. If the connection destinations are deemed malicious/suspicious, you can block them via EDLs or better still, update your firewall policies to block such connections in the event the destinations are alive in the future.

If the connections are port scans, lateral movements (wmiexec etc.), please investigate the reason for those activities as well.

I hope this gets you started off in the right direction.

Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/failed-connections.html

topic Re: XDR Analytics "Failed Connections" alert investigation in Cortex XDR Discussions

XDR Analytics "Failed Connections" alert investigation

Re: XDR Analytics "Failed Connections" alert investigation