long_inbound_https_bad

Explanation

This security event is triggered by the Netography Fusion Portal when it detects inbound traffic to an internet facing HTTPS endpoint from a source IP address with a bad reputation, with sustained communication across multiple flows.

What to Look For

The first thing to determine is the business function of the destination host. If the destination is a VPN server, this NDM may be alerting on interactive login sessions from a suspicious source. Look for the source IP in VPN logs to determine if a successful authentication has occurred. Inbound sessions from low reputation IP addresses to public web servers may be common occurrence.

Related MITRE ATT&CK Categories

Remote Services, Technique T1021 - Enterprise