F025Suspiciousvalidator: blocked
Repeated outbound connections to internal peer on port 8080 (C2-like)
External established connections to 172.16.4.10:8080
Analyst narrative
candidate cand-0041: Host 172.16.6.11 shows many TCP connections to 172.16.4.10:8080 (ESTABLISHED and CLOSE_WAIT) consistent with beaconing/proxy C2. fact_ids=network_connection_fact-0000024
Claims asserted
path172.16.4.10:8080
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
extract_network_iocsvol_netscan