LoFP LoFP / t1041

t1041

TitleTags
a misconfgured network application or firewall may trigger this alert. security scans or test cycles may trigger this alert.
a newly installed program or one that rarely uses the network could trigger this alert.
business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. a new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. business travelers who roam to many countries for brief periods may trigger this alert.
business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. a new business workflow or a surge in business activity in a particular country may trigger this alert. business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity.
false positive may stem from application or users requesting the api directly via commandline for testing purposes. investigate the matches and apply the necessary filters.
false positives may occur due to legitimate security testing or research activities.
false positives should be unlikely.
large outbound transfers may occur due to legitimate activities such as cloud backups, file syncing, os or application updates, or developer build deployments. backup servers, ci/cd pipelines, and enterprise sync tools (e.g., onedrive, dropbox) may exhibit similar patterns. additional validation using user context, scheduled task windows, or endpoint telemetry is recommended to reduce false positives.
legitimate configuration exports to remote locations may occur during normal administrative activities. investigate these events to verify their legitimacy and apply necessary filters.
legitimate use of portmap.io domains
new or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used.
new or unusual user event activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used.
some benign applications may exhibit behaviors that resemble encrypted threat patterns, especially if they use uncommon encryption libraries or custom protocols. custom-developed or internal tools may trigger high eve confidence scores depending on how they encrypt data. it is recommended to validate the associated process (`eve_process`) and destination context, and correlate with other logs (e.g., endpoint or threat intel) before taking response action.
system updates, scheduled backups, or misconfigured services may trigger this alert.
web activity that occurs rarely in small quantities can trigger this alert. possible examples are browsing technical support or vendor urls that are used very sparsely. a user who visits a new and unique web destination may trigger this alert when the activity is sparse. web applications that generate urls unique to a transaction may trigger this when they are used sparsely. web domains can be excluded in cases such as these.