LoFP
/
t1595.002
t1595.002
Title
Tags
blocked connection events are generated via an access control policy on the firewall management console. hence no false positives should be present.
t1018
t1046
t1110
t1203
t1595.002
network
splunk
false positives can occur in environments where vulnerability scanners or malware sandboxes are actively generating simulated attacks. additionally, noisy or overly aggressive snort rules may produce bursts of alerts from legitimate applications. review host context before escalating.
t1059
t1071
t1595.002
network
splunk
internal vulnerability scanners will trigger this detection.
t1046
t1595.002
endpoint
splunk
legitimate security scanning.
t1190
t1595
t1595.002
sigma
misconfigured applications or automated scripts may generate repeated blocked traffic, particularly if attempting to reach decommissioned or restricted resources. vulnerability scanners or penetration testing tools running in authorized environments may trigger this alert. tuning may be required to exclude known internal tools or scanner ips from detection.
t1018
t1046
t1110
t1203
t1595.002
network
splunk
various, could be noisy depending on processes in the organization and sysmon configuration used. adjusted port/dest count thresholds as needed.
T1595.001
t1595.002
endpoint
splunk
LoFP
/
t1595.002