LoFP LoFP / t1040

t1040

TitleTags
admins may setup new or modify old spans, or use a monitor for troubleshooting
full network packet capture may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. full network packet capture from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
legitimate administration activities
legitimate administration activity
legitimate administration activity to troubleshoot network issues
legitimate administrator or user uses network sniffing tool for legitimate reasons.
legitimate network diagnostic scripts.
legitimate snmp configuration changes may trigger this detection during routine network maintenance or initial device setup. network administrators often need to configure snmp for monitoring and management purposes. to reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames, typical times for snmp configuration changes, and scheduled maintenance windows. you may also want to create a lookup table of approved snmp hosts and filter out alerts for these destinations.
legitimate use
some normal use of this command may originate from server or network administrators engaged in network troubleshooting.
unknown