topic Re: Alerts: - Abnormal Recurring Communications to a Rare Domain to a Suspicious Autonomous System (AS) in General Topics

Alerts: - Abnormal Recurring Communications to a Rare Domain to a Suspicious Autonomous System (AS)

H.NguyenNgoc — Thu, 28 Nov 2024 05:04:00 GMT

Hello Friends

Our XDR system recently reported a lot of these warnings, "Abnormal Recurring Communications to a Rare Domain to a Suspicious Autonomous System (AS)". Through information from XDR from the user's computer that has queried a website through Google Chrome or MS Edge. The investigation activity gets the user's access information that they have accessed and not accessed those website addresses.
This warning keeps appearing, so how to turn it off or how to find the exact cause of why this warning is there.

Thank you.

Re: Alerts: - Abnormal Recurring Communications to a Rare Domain to a Suspicious Autonomous System (AS)

BPry — Fri, 29 Nov 2024 13:39:33 GMT

@H.NguyenNgoc,

XDR should be telling you the actual domain does it not? This would start usually as a pretty typical check of the endpoint; verify that the user doesn't have any malicious extensions added and remove any of the websites that they may have granted notification access to would be the first things that I would check.

Re: Alerts: - Abnormal Recurring Communications to a Rare Domain to a Suspicious Autonomous System (AS)

H.NguyenNgoc — Thu, 05 Dec 2024 01:19:44 GMT

Hello BPry

Thank for your reply.

Yes, the domain name is in the notifications. We checked endpoints browser, most alerts from google chrome and we find no any domain in alert has granted notification access and there is no extension installed on the browser.