LoFP LoFP / t1571

t1571

TitleTags
if you work in a public sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"
internal or legitimate external domains using dnssec. verify if these are legitimate dnssec domains and then exclude them.
legitimate administrative script
some legitimate applications may download files over custom ports (e.g., cdn mirrors, apis). apply additional filters accordingly.
some legitimate services or custom applications may use non-standard ports for development, remote management, or internal communication. ephemeral ports in test environments may occasionally overlap with ports used in this detection. additional context such as process name, user behavior, or endpoint telemetry should be used to validate suspicious sessions before escalation.
ssh over ports apart from the traditional port 22 is highly uncommon. this rule alerts the usage of the such uncommon ports by the ssh service. tuning is needed to have higher confidence. if this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such legitimate ssh activities.