# anomalous\_traffic\_itar **Explanation** This event is triggered by Netography's Fusion Portal when it detects a data transfer to IP addresses in countries listed under US Code 22 CFR § 126.1 (ITAR countries) “Prohibited exports, imports, and sales to or from certain countries” that exceeds an automatically determined baseline threshold. Auto Thresholding observes related network traffic to determine a baseline and then defines thresholds as a number of standard deviations from the typically observed traffic. This event specifically looks for data transfers to IP addresses in ITAR countries that are multiple standard deviations greater than the learned baseline. **What to Look For** Anomalous traffic to ITAR countries may be an indication that your network is compromised and attackers are stealing information by moving it (exfiltrating it) off your network. While web servers may incidentally interact with IP addresses in ITAR countries, anomalous traffic to IPs in ITAR countries is a cause for concern and may be an indication of attackers exfiltrating data and are worthy of investigation because they may be indicative of a ransomware attack or industrial espionage. Investigate hosts that are the source of this sort of activity in order to make sure that it is authorized and expected, and the hosts have not been compromised. Determine if hosts communicating with IP addresses in ITAR countries are responding to web requests or initiated connections and are sending data. Ensure that hosts communicating with IPs in ITAR countries are authorized to send data to these countries and that the data they are sending is also authorized. Check network logs for additional information to ensure that sensitive information is secure. **Related MITRE ATT\&CK Categories** [Exfiltration: Exfiltration Over Alternative Protocol, Technique T1048 - Enterprise](https://attack.mitre.org/techniques/T1048) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/detection-models/library/post-compromise/anomalous_traffic_itar.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.