Description
The detection currently includes events where the destination IP or source IP is a loopback address (IPv4 127.0.0.1 or IPv6 ::1).
These are local-only communications and should not be treated as network traffic, resulting in false positives when legitimate processes communicate with local services (e.g., local PowerShell remoting, script hosts, or agent components).
Issue
When All_Traffic.dest_ip or All_Traffic.src_ip equals 127.0.0.1, 127.0.0.*, or ::1, the rule fires — even though these are local loopback connections that pose no lateral movement or exfiltration risk.
| tstats security_content_summariesonly count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN ("Regsvcs.exe", "\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", "*Mshta.exe", "*Bitsadmin.exe", "*Certoc.exe", "*Ieexec.exe", "*Microsoft.Workflow.Compiler.exe", "*Runscripthelper.exe", "*Forfiles.exe", "*Msbuild.exe", "*Register-cimprovider.exe", "*Tttracer.exe", "*Ie4uinit.exe", "*Bash.exe", "*Hh.exe", "*SettingSyncHost.exe", "*Cmstp.exe", "*Stordiag.exe", "*Scriptrunner.exe", "*Odbcconf.exe", "*Extexport.exe", "*Msdt.exe", "*WorkFolders.exe", "*Diskshadow.exe", "*Mavinject.exe", "*Regasm.exe", "*Gpscript.exe", "*Regsvr32.exe", "*Msiexec.exe", "*Wuauclt.exe", "*Presentationhost.exe", "*Wmic.exe", "*Runonce.exe", "*Syncappvpublishingserver.exe", "*Verclsid.exe", "*Infdefaultinstall.exe", "*Installutil.exe", "*Netsh.exe", "*Wab.exe", "Dnscmd.exe", "\At.exe", "*Pcalua.exe", "*Msconfig.exe", "makecab.exe", "cscript.exe", "notepad.exe", "\cmd.exe", "certutil.exe", "\powershell.exe", "powershell_ise.exe", "\pwsh.exe")) NOT All_Traffic.src IN ("127.0.0.1", "0:0:0:0:0:0:0:1") AND All_Traffic.dest IN ("127.0.0.1", "0:0:0:0:0:0:0:1") by All_Traffic.action All_Traffic.app All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.direction All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user All_Traffic.vendor_product
| drop_dm_object_name(All_Traffic)
| security_content_ctime(firstTime)
| security_content_ctime(lastTime)
| rex field=app ".\(?<process_name>.)$"
| lolbas_with_network_traffic_filter
Description
The detection currently includes events where the destination IP or source IP is a loopback address (IPv4 127.0.0.1 or IPv6 ::1).
These are local-only communications and should not be treated as network traffic, resulting in false positives when legitimate processes communicate with local services (e.g., local PowerShell remoting, script hosts, or agent components).
Issue
When All_Traffic.dest_ip or All_Traffic.src_ip equals 127.0.0.1, 127.0.0.*, or ::1, the rule fires — even though these are local loopback connections that pose no lateral movement or exfiltration risk.
| tstats
security_content_summariesonlycount min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN ("Regsvcs.exe", "\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", "*Mshta.exe", "*Bitsadmin.exe", "*Certoc.exe", "*Ieexec.exe", "*Microsoft.Workflow.Compiler.exe", "*Runscripthelper.exe", "*Forfiles.exe", "*Msbuild.exe", "*Register-cimprovider.exe", "*Tttracer.exe", "*Ie4uinit.exe", "*Bash.exe", "*Hh.exe", "*SettingSyncHost.exe", "*Cmstp.exe", "*Stordiag.exe", "*Scriptrunner.exe", "*Odbcconf.exe", "*Extexport.exe", "*Msdt.exe", "*WorkFolders.exe", "*Diskshadow.exe", "*Mavinject.exe", "*Regasm.exe", "*Gpscript.exe", "*Regsvr32.exe", "*Msiexec.exe", "*Wuauclt.exe", "*Presentationhost.exe", "*Wmic.exe", "*Runonce.exe", "*Syncappvpublishingserver.exe", "*Verclsid.exe", "*Infdefaultinstall.exe", "*Installutil.exe", "*Netsh.exe", "*Wab.exe", "Dnscmd.exe", "\At.exe", "*Pcalua.exe", "*Msconfig.exe", "makecab.exe", "cscript.exe", "notepad.exe", "\cmd.exe", "certutil.exe", "\powershell.exe", "powershell_ise.exe", "\pwsh.exe")) NOT All_Traffic.src IN ("127.0.0.1", "0:0:0:0:0:0:0:1") AND All_Traffic.dest IN ("127.0.0.1", "0:0:0:0:0:0:0:1") by All_Traffic.action All_Traffic.app All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.direction All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user All_Traffic.vendor_product|
drop_dm_object_name(All_Traffic)|
security_content_ctime(firstTime)|
security_content_ctime(lastTime)| rex field=app ".\(?<process_name>.)$"
|
lolbas_with_network_traffic_filter