So there is a lot (hundreds to thousands) of logs showed up with messages
Built outbound TCP Connection (event id ASA-302013) and then
Teardown TCP Connection (event id ASA-302014) with the same source and destination IP address. Here is one of the messages for Built Outbound TCP Connection:
ASA-6-302013:Malicious Source(s) detected : 184.108.40.206
Log Message : Built outbound TCP connection 790892754 for OUTSIDE:220.127.116.11/445 (18.104.22.168/445) to INSIDE2:10.14.41.111/55214 (10.14.84.111/55214)
And here is one of the messages for Teardown TCP Connection:
ASA-6-302014:Malicious Source(s) detected : 22.214.171.124
Log Message : Teardown TCP connection 790892754 for OUTSIDE:126.96.36.199/445 to INSIDE2:10.14.84.111/55214 duration 0:00:30 bytes 0 SYN Timeout
There are at least 3 devices (probably more because I’m just checking for a specified date) that create these logs and I am not sure either what kind of device it is because it belongs to my client.
Is it some anomalies because all these logs said a device tried to create an outbound TCP connection to a lot of different IPs and then delete the connection which is failed because SYN Timeout after 30second waiting for a reply? or it is normal events?