Hi,

In our deployment, we always have offenses (usually with low magnitude) triggered by the rule "Long Duration Flow Detected containing Web.SecureWeb"

In this new cloud-based world, it is quite common if an application (even components of windows) are constantly connected to some web service (we usually see addresses from Microsoft's /10 network and Facebook). I don't want to include the whole /10 or even /8 Azure subnet, but I would like to handle this common traffic as FP.

Any idea, on how to modify the rule for this? I'm sure we are not the only ones with this issue. Of course, it is possible at other places, this rule is simply turned off :)

Thank you
Laszlo
​​

------------------------------
Vladx(x)
------------------------------

Hello @Vladx(x),

This rule is important i think, it pop when the flow duration is greater than 48 hours and the context is not local to local...

Maybe you can try to create a Reference Set or Reference Map as an Exception list of what is local to you on your clouds.

Hope this helps,
Regards
zoldax
​

------------------------------
@zoldax

https://www.youracclaim.com/users/pascal-weber.029e134d/badges
------------------------------

Original Message:
Sent: Tue July 12, 2022 05:06 AM
From: Vladx(x)
Subject: [FP handling] Long Duration Flow Detected containing Web.SecureWeb

Hi,

In our deployment, we always have offenses (usually with low magnitude) triggered by the rule "Long Duration Flow Detected containing Web.SecureWeb"

In this new cloud-based world, it is quite common if an application (even components of windows) are constantly connected to some web service (we usually see addresses from Microsoft's /10 network and Facebook). I don't want to include the whole /10 or even /8 Azure subnet, but I would like to handle this common traffic as FP.

Any idea, on how to modify the rule for this? I'm sure we are not the only ones with this issue. Of course, it is possible at other places, this rule is simply turned off :)

Thank you
Laszlo
​​

------------------------------
Vladx(x)
------------------------------

Original Message:
Sent: 7/17/2022 5:52:00 AM
From: Pascal Weber
Subject: RE: [FP handling] Long Duration Flow Detected containing Web.SecureWeb

Hello @Vladx(x),

This rule is important i think, it pop when the flow duration is greater than 48 hours and the context is not local to local...

Maybe you can try to create a Reference Set or Reference Map as an Exception list of what is local to you on your clouds.

Hope this helps,
Regards
zoldax
​

------------------------------
@zoldax

https://www.youracclaim.com/users/pascal-weber.029e134d/badges
------------------------------

Original Message:
Sent: Tue July 12, 2022 05:06 AM
From: Vladx(x)
Subject: [FP handling] Long Duration Flow Detected containing Web.SecureWeb

Hi,

In our deployment, we always have offenses (usually with low magnitude) triggered by the rule "Long Duration Flow Detected containing Web.SecureWeb"

In this new cloud-based world, it is quite common if an application (even components of windows) are constantly connected to some web service (we usually see addresses from Microsoft's /10 network and Facebook). I don't want to include the whole /10 or even /8 Azure subnet, but I would like to handle this common traffic as FP.

Any idea, on how to modify the rule for this? I'm sure we are not the only ones with this issue. Of course, it is possible at other places, this rule is simply turned off :)

Thank you
Laszlo
​​

------------------------------
Vladx(x)
------------------------------