topic Re: 'Failed Connections' alerts detected by XDR Analytics on 9 hosts involving user nt authority\system in Cortex XDR Discussions

'Failed Connections' alerts detected by XDR Analytics on 9 hosts involving user nt authority\system

RajeshPremSingh — Fri, 21 Apr 2023 12:18:32 GMT

Hi we have multiple failed connections from one host to several local IP

below cmd was in initiator

C:\WINDOWS\System32\svchost.exe -k NetSvcs -p -s iphlpsvc

Re: 'Failed Connections' alerts detected by XDR Analytics on 9 hosts involving user nt authority\system

mavraham — Sun, 23 Apr 2023 10:16:12 GMT

Hi @RajeshPremSingh, thank you for writing to Live Community.

The 'failed connections' alert is an XDR Analytics alert that indicates that the endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. You can read more about the alert and which investigative options you can potentially take here.

That said, I'm not entirely sure what you are asking. Could you please elaborate?

Could you elaborate on what is the ask here?

Re: 'Failed Connections' alerts detected by XDR Analytics on 9 hosts involving user nt authority\system

RajeshPremSingh — Mon, 24 Apr 2023 00:48:50 GMT

we have an incident on Siem tools saying that 'Failed Connections' alerts were detected by XDR Analytics on 9 hosts involving user nt authority\system cmd: C:\WINDOWS\System32\svchost.exe -k NetSvcs -p -s iphlpsvc) Can anyone advise what these failed connections are

failed remote ip: 10.20.0.3,10.40.0.6,10.1.0.8,192.168.106.8,192.168.50.11,10.144.40.15,192.168.2.15,10.10.10.19,10.5.36.19,192.168.128.21,192.168.0.26,10.144.40.27,10.5.38.28,192.168.86.30,10.144.40.32,192.168.86.35,192.168.16.36,192.168.2.37,10.219.134.40,192.168.0.43,192.168.0.44,10.67.136.49,192.168.16.50,192.168.22.50,192.168.14.52,10.144.40.53,192.168.0.54,10.1.2.50,192.168.68.56,10.5.166.57,192.168.32.65,192.168.16.70,10.0.0.74,192.168.12.81,192.168.2.82,192.168.0.84,192.168.0.92,192.168.4.106,192.168.30.108,10.30.150.113,10.69.6.114,10.10.0.117,192.168.30.118,192.168.30.121,10.0.0.122,172.24.62.139,192.168.68.140,192.168.30.146,10.36.74.148,192.168.30.149,10.10.10.154,192.168.30.166,10.5.38.167,10.211.76.192.168.3.161,192.168.1.165,192.168.1.182,10.148.85.189,192.168.31.195,192.168.11.214,172.17.13.218,192.168.1.225,192.168.199.227,192.168.1.229:64516,57866,50186,53264,57369,63517,56360,59945,55346,63539,53815,63032,64058,52794,59473,52307,64086,62039,58969,51806,54878,58466,51815,49262,53876,50805,50300,49276,62590,61567,52358,61065,49290,53903,50327,58541,53936,59570,59573,57529,50366,53957,63174,55495,62668,50896,49874,58075,49373,58590,64740,59111,54515,51444,64768,59141,