I have the thresholds for Unusual Server Port Internal activity set to the most conservative settings to minimize false positives but it seems like the highest port consistently gets flagged as "unusual". In the example below there are 15 ports labeled as usual and the Kafka port (9092) is being flagged as unusual. Upon further investigation we always find out that this is the intended purpose and traffic volumes support that this is normal activity. For example another similar alert was fired off on MongoDB but going into the investigate tab I can see months and hundreds of Gb of Mongo DB traffic so it should NOT have flagged this traffic coming from a host labeled as MongoDB (not that the naming convention has anything to do with it but I had to figure out if the resource this was connected to was legit a MongoDB server and client).
I may enter a feature request to give "allowed ports" check box based on alerts generated for Unusual server port Internal.
I hope that this note finds you well! I know that it has been a while since you had posted this question but I wanted to see if you still potentially needed any help. Thank you for your time and I hope that you have a good remainder of your day.
J. Avery King
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!