LoFP
/
t1041
t1041
Title
Tags
false positive may stem from application or users requesting the api directly via commandline for testing purposes. investigate the matches and apply the necessary filters.
t1041
t1102.002
endpoint
splunk
false positives may occur due to legitimate security testing or research activities.
t1041
T1573.002
network
splunk
false positives should be unlikely.
t1041
t1190
T1573.002
network
splunk
large outbound transfers may occur due to legitimate activities such as cloud backups, file syncing, os or application updates, or developer build deployments. backup servers, ci/cd pipelines, and enterprise sync tools (e.g., onedrive, dropbox) may exhibit similar patterns. additional validation using user context, scheduled task windows, or endpoint telemetry is recommended to reduce false positives.
t1041
t1048.003
t1567.002
network
splunk
legitimate use of portmap.io domains
t1041
t1090
t1090.002
windows
sigma
some benign applications may exhibit behaviors that resemble encrypted threat patterns, especially if they use uncommon encryption libraries or custom protocols. custom-developed or internal tools may trigger high eve confidence scores depending on how they encrypt data. it is recommended to validate the associated process (`eve_process`) and destination context, and correlate with other logs (e.g., endpoint or threat intel) before taking response action.
t1041
t1071.001
t1105
T1573.002
network
splunk
LoFP
/
t1041