LoFP LoFP / t1571

t1571

TitleTags
a newly installed program or one that rarely uses the network could trigger this alert.
if you work in a public sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"
internal hosts that legitimately send mail to external mail transfer agents listening on tcp port 26 may cause false positives. mail servers or applications with known external smtp relays can be excluded by source or destination ip address as this is expected behavior.
internal or legitimate external domains using dnssec. verify if these are legitimate dnssec domains and then exclude them.
legitimate administrative script
ssh over ports apart from the traditional port 22 is highly uncommon. this rule alerts the usage of the such uncommon ports by the ssh service. tuning is needed to have higher confidence. if this activity is expected and noisy in your environment, consider adding exceptions - preferably with a combination whitelisted ports for such legitimate ssh activities.
unknown