# long\_inbound\_https\_bad\_rep

**Explanation**

This security event is triggered by the Netography Fusion Portal when it detects inbound traffic to an internet facing HTTPS endpoint from a source IP address with a bad reputation, with sustained communication across multiple flows.

**What to Look For**

The first thing to determine is the business function of the destination host. If the destination is a VPN server, this NDM may be alerting on interactive login sessions from a suspicious source. Look for the source IP in VPN logs to determine if a successful authentication has occurred. Inbound sessions from low reputation IP addresses to public web servers may be common occurrence.

**Related MITRE ATT\&CK Categories**

[Initial Access, Persistence: External Remote Services, Technique T1133 - Enterprise](https://attack.mitre.org/techniques/T1133)