LoFP LoFP / t1595

t1595

TitleTags
business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. a new business workflow or a surge in business activity in a particular country may trigger this alert. business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity.
false positives may be present if the activity is part of diagnostics or testing. filter as needed.
internal development or testing scripts. consider filtering by source ip if this is expected from certain systems.
legitimate network monitoring or vulnerability scanning tools that may use this generic user agent.
legitimate security scanning.
legitimate web application clients or mobile apps that access multiple api endpoints as part of normal functionality, monitoring and health check systems probing various endpoints for availability, load balancers performing health checks across different paths, api testing frameworks during development and qa processes, or users navigating through web interfaces that trigger multiple api calls may generate similar patterns during normal operations.
some administrator activity can be potentially triggered, please add those users to the filter macro.
there is a potential for false positives if the container is used for legitimate tasks that require the use of network utilities, such as network troubleshooting, testing or system monitoring. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.
unknown