https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/abnormal-recurring-communications-to-a-rare-ip/m-p/649057#M7461 <P>They recently added this and it is making a ton of noise I would suggest tuning it out for now.</P> Fri, 22 Nov 2024 09:13:56 GMT AvesterFahimipour 2024-11-22T09:13:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/abnormal-recurring-communications-to-a-rare-ip/m-p/623611#M7438 <P>We are receiving multiple alerts from the rule below. All alerts are legitimate Microsoft IPs:</P> <P><STRONG>Abnormal Recurring Communications to a Rare IP</STRONG></P> <P>Could there have been any recent changes on the Cortex end that might be triggering this?<BR /><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Mon, 18 Nov 2024 17:12:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/abnormal-recurring-communications-to-a-rare-ip/m-p/623611#M7438 RajeshPremSingh 2024-11-18T17:12:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/abnormal-recurring-communications-to-a-rare-ip/m-p/627248#M7443 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/262549">@RajeshPremSingh</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>That's an Analytics alert which means that the connections are not usual to the destination IPs, that doesn't mean that those IPs are malicious.</P> <P>In our Analytic Alerts Reference you can find some investigation actions for this rule (and many others if needed):&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Abnormal-Recurring-Communications-to-a-Rare-IP?tocId=NR8ZpammoR77K6omQMWajQ" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Abnormal-Recurring-Communications-to-a-Rare-IP?tocId=NR8ZpammoR77K6omQMWajQ</A></P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Tue, 19 Nov 2024 14:53:06 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/abnormal-recurring-communications-to-a-rare-ip/m-p/627248#M7443 jmazzeo 2024-11-19T14:53:06Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/abnormal-recurring-communications-to-a-rare-ip/m-p/640731#M7451 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/310428">@jmazzeo</a>,</P> <P>Thanks for your reply. I have a few questions:</P> <OL> <LI> <P><STRONG>Data Sources for Alerts</STRONG>:</P> <UL> <LI>Where is the data for the alert "Abnormal Recurring Communications to a Rare IP" coming from?</LI> <LI>eg :Possible sources include browsing history, cookie cache, DNS logs, etc.</LI> </UL> </LI> <LI> <P><STRONG>Machine Learning Models</STRONG>:</P> <UL> <LI>The alert mentions, "Based on our machine learning models, this connection was flagged as suspicious."</LI> <LI>How does this work since it is a new BIOC rule and is still learning?</LI> </UL> </LI> </OL> Wed, 20 Nov 2024 20:33:39 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/abnormal-recurring-communications-to-a-rare-ip/m-p/640731#M7451 RajeshPremSingh 2024-11-20T20:33:39Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/abnormal-recurring-communications-to-a-rare-ip/m-p/649057#M7461 <P>They recently added this and it is making a ton of noise I would suggest tuning it out for now.</P> Fri, 22 Nov 2024 09:13:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/abnormal-recurring-communications-to-a-rare-ip/m-p/649057#M7461 AvesterFahimipour 2024-11-22T09:13:56Z