XDR Analytics "Failed Connections" alert investigation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XDR Analytics "Failed Connections" alert investigation

L2 Linker

Hi all, I am i need of assistance - how should I go about investigating an incident created by the "Failed Connections" alert? 

I run malware scans on the host that raised the alarm, but what can I do beyond that?

I should also mention that whenever such an incident arises, it is not accompanied by a malware alert or anything of the sort.

1 REPLY 1

L5 Sessionator

Hi @Daniel_Itenberg 

There are a couple of steps that I would suggest, my assumption being that the endpoint tried to connect to a malicious site.

1. Drill down into the alerts that are a part of the incident. Identify the sources and destinations, and the actions that led to the alert. If a malicious file is initiating the connections, you can block it, and retrieve it for further analysis in a sandboxed environment. Based on you analysis, you can proceed to remove the file/s based on your organizational processes. You can also proceed to investigate how the file came to be present in the host.

2. If the connection destinations are deemed malicious/suspicious, you can block them via EDLs or better still, update your firewall policies to block such connections in the event the destinations are alive in the future.

 

If the connections are port scans, lateral movements (wmiexec etc.), please investigate the reason for those activities as well.

 

 

I hope this gets you started off in the right direction.

 

Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!