Share via

Multiple connections for svchost.exe (netsvcs)

Rajesh 0 Reputation points
2023-04-21T15:54:01.5333333+00:00

we have an incident on Siem tools saying that 'Failed Connections' alerts were detected by XDR Analytics on 9 hosts involving user nt authority\system cmd: C:\WINDOWS\System32\svchost.exe -k NetSvcs -p -s iphlpsvc) Can anyone advise what these failed connections are

failed remote ip: 10.20.0.3,10.40.0.6,10.1.0.8,192.168.106.8,192.168.50.11,10.144.40.15,192.168.2.15,10.10.10.19,10.5.36.19,192.168.128.21,192.168.0.26,10.144.40.27,10.5.38.28,192.168.86.30,10.144.40.32,192.168.86.35,192.168.16.36,192.168.2.37,10.219.134.40,192.168.0.43,192.168.0.44,10.67.136.49,192.168.16.50,192.168.22.50,192.168.14.52,10.144.40.53,192.168.0.54,10.1.2.50,192.168.68.56,10.5.166.57,192.168.32.65,192.168.16.70,10.0.0.74,192.168.12.81,192.168.2.82,192.168.0.84,192.168.0.92,192.168.4.106,192.168.30.108,10.30.150.113,10.69.6.114,10.10.0.117,192.168.30.118,192.168.30.121,10.0.0.122,172.24.62.139,192.168.68.140,192.168.30.146,10.36.74.148,192.168.30.149,10.10.10.154,192.168.30.166,10.5.38.167,10.211.76.192.168.3.161,192.168.1.165,192.168.1.182,10.148.85.189,192.168.31.195,192.168.11.214,172.17.13.218,192.168.1.225,192.168.199.227,192.168.1.229:64516,57866,50186,53264,57369,63517,56360,59945,55346,63539,53815,63032,64058,52794,59473,52307,64086,62039,58969,51806,54878,58466,51815,49262,53876,50805,50300,49276,62590,61567,52358,61065,49290,53903,50327,58541,53936,59570,59573,57529,50366,53957,63174,55495,62668,50896,49874,58075,49373,58590,64740,59111,54515,51444,64768,59141,

Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,776 Reputation points
    2023-04-24T12:09:27.72+00:00

    Hello there, If you received a system alert regarding an issue with activity delivery through the SIEM agent, follow the steps below to recover the activity events in the timeframe of the issue. These steps will guide you through setting up a new Recovery SIEM agent that will run in parallel and resend the activity events to your SIEM. The recovery process will resend all activity events in the timeframe described in the system alert. If your SIEM already contains activity events from this timeframe, you will experience duplicated events after this recovery. You can follow the steps from here https://learn.microsoft.com/en-us/defender-cloud-apps/troubleshooting-siem Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.