long_inbound_https_bad_rep
Explanation
This security event is triggered by the Netography Fusion Portal when it detects inbound traffic to an internet facing HTTPS endpoint from a source IP address with a bad reputation, with sustained communication across multiple flows.
What to Look For
The first thing to determine is the business function of the destination host. If the destination is a VPN server, this NDM may be alerting on interactive login sessions from a suspicious source. Look for the source IP in VPN logs to determine if a successful authentication has occurred. Inbound sessions from low reputation IP addresses to public web servers may be common occurrence.
Related MITRE ATT&CK Categories
Updated 4 days ago