Skip to content

Latest commit

 

History

History
38 lines (20 loc) · 812 Bytes

Network-Activity-by-IP.md

File metadata and controls

38 lines (20 loc) · 812 Bytes

Network Activity by IP Use Cases

Grouped by Detection Method

Aggregate Count

Blacklist Alert

  • Known-Bad Destination Port Use

Whitelist Alert

  • Anomalous Destination Port Use

Levenshtein Score Alert

Rolling Whitelist Alert

  • Newly observed Source System, Protocol
  • Newly Observed Source System, HourOfDay

Shannon Entropy Score Alert

Threshold Alert

  • Source System, Destination System, Protocol=UDP where Source System Count exceeds threshold
  • Source System, Destination System, Protocol=UDP where Destination System Count exceeds threshold
  • Source System, Protocol=TCP where Count exceeds threshold
  • Destination System, Protocol=TCP where Count exceeds threshold

Log Source Examples

  • Layer 3 or 7 Firewall Logs

Possible False Positives