'Failed Connections' alerts detected by XDR Analytics

Showing results for 
Show  only  | Search instead for 
Did you mean: 

'Failed Connections' alerts detected by XDR Analytics

L1 Bithead

Hello guys ,
Cortex flagged a security alert(low severity) related to  'Failed Connections' .
Observed these are network connections are initiated by brave browser helper / Firefox helper and these connections are made to private IP's. No malicious files are found after initiating malware scan on the endpoint.
why these Firefox/ Brave helpers are connecting to Private IP ranges ?
Does anyone faced same issue ?kindly help here.


L5 Sessionator

Hi @Anil_Racharla   , 

Thank you for writing to Live community!


It would be too difficult to say why unless investigated, but Cortex XDR analytics does not depend on malicious process data rather it generates on behavioural and network traffic analysis. In this case, this behaviour must have been observed as a unique behaviour on the specific endpoint attempting to making network connections to private IP ranges using firefox and brave browser processes. There is a possibility of a user using tools like network mappers or web applications which attempt network discovery and hence needs to be observed on the same. 


On top of this, Analytics alerts will not generate alerts on malware scans, rather it will generate alerts on behaviour(as stated above)

The endpoint has failed connections to other endpoints that have been inactive for more than 24 hours, or that Cortex XDR Analytics has never seen on the network. The endpoint has made an abnormally large number of these failed connections and/or is attempting to connect to an abnormal mixture of missing or inactive endpoints.
Your network might contain legitimate scanners that could cause a false positive for this alert. Cortex XDR Analytics attempts to filter these out by checking if a scanner has been active for a long consecutive period of time. Consequently, if this alert is seen, it represents new activity on your network.
An attacker may be trying to move laterally, or to scan different parts of the network to look for other endpoints that expose a specific service. Worms also perform a similar activity to automatically infect additional hosts in the network.


Hope this answers your question.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!