ATP Alerts every 4 - 8 mins.

Question

For the last three hours I have been getting ATP Alerts every 4 - mins. The trouble is that the source IP keeps changing. Here is an example. 
 
 Message........: BROWSER-IE Microsoft Edge App-v vbs command attempt 
 Details........: https://www.snort.org/search?query=48053 
 Time...........: 2020-05-12 15:07:12 
 Packet dropped.: yes 
 Priority.......: high 
 Classification.: Attempted User Privilege Gain IP protocol....: 6 (TCP) 
 
 Source IP address: 23.40.196.9 (a23-40-196-9.deploy.static.akamaitechnologies.com) 
 Source port: 80 (http) 
 Destination IP address: 192.168.15.18 
 Destination port: 53492 
 
 The internal IP is one of our domain controllers. I have checks the logs on the DC's but don't see anything. 
 
 Any ideas?

DaveCline · Accepted Answer

Follow up to my original post. My bad - it was not a domain controller, it was an internal web server that was being called out by IPS. After logging into the webserver and doing a netstat for all activity on port 80 I saw that doSvc (Windows Delivery Optimization service ) was the culprit. I then looked at Windows update and it was stuck downloading 2020-05 Cumulative Update for Windows Server 2019. So that means either the CDN's have been compromised and the content is infected or its a false positive with the snort rule. I have since then disabled the Delivery Optimization service. 
 Seeing all the other similar posts my money is on a bad snort rule. 
 Dave.

netzwerk · Answer

Manual install KB4556799 solved the Problem. 
 Download KB4556799: 
 https://www.catalog.update.microsoft.com/Search.aspx?q=KB4556799