What is the ITIL-Sidekick-Monitor probe?

You found this page because you saw ITIL-Sidekick-Monitor/1.0 in your server logs or your WAF flagged it. Here's the short version:

ITIL Sidekick is a service-availability monitoring tool. Someone — almost certainly a customer of yours, a colleague, or your own team — has configured it to probe a URL on your site to check whether the service is responding. We hit the URL roughly every minute from Cloudflare's edge network.

What our probe does

How to recognise our probe

HeaderValue
User-AgentITIL-Sidekick-SyntheticProbe/2.0 (Security-Verified; Enterprise-Monitor; +https://itilsidekick.com/about/probe)
X-ITIL-Probe-AuthPer-monitor static key for WAF allowlisting (optional, backward-compat).
X-ITIL-Sidekick-SignatureShort-lived HS256 JWT for cryptographic validation (Pro+ — see below).
Origin ASNAS13335 (Cloudflare) — use ASN-based allowlisting instead of IP ranges.
Origin IPsDynamic Cloudflare PoP IPs — see cloudflare.com/ips.

JWT Signature header (enterprise validation)

When a Pro+ monitor has a JWT probe secret configured, every probe carries an X-ITIL-Sidekick-Signature header containing an HS256-signed JWT. Your WAF or origin gateway can validate this token cryptographically — no IP allowlisting needed.

Token claims:

ClaimValue
issitil-sidekick-edge-compute
sub<user_id>:<monitor_id> — tenant identifier
iatUnix epoch of issue
expiat + 300 — valid 5 minutes, prevents replay attacks

How to allow our probe through your WAF

1 — Cloudflare WAF (Custom Skip Rule)

(ip.geoip.asnum eq 13335
  and http.user_agent contains "ITIL-Sidekick-SyntheticProbe/2.0"
  and any(http.request.headers["x-itil-probe-auth"][*] eq "<your-probe-auth-key>"))
Action: Skip — All remaining custom rules + Bot Fight Mode

2 — AWS WAF (Web ACL ALLOW rule, priority 0)

Rule name: Allow-ITIL-Sidekick-SyntheticProbes
AndStatement:
  - ByteMatchStatement: User-Agent CONTAINS "ITIL-Sidekick-SyntheticProbe"
  - ByteMatchStatement: Header "x-itil-probe-auth" EXACTLY "<your-probe-auth-key>"
Action: ALLOW

3 — Palo Alto NGFW (SSL Forward Proxy + Header Match)

1. SSL Decryption Policy → SSL Forward Proxy for traffic from AS13335.
2. URL Filtering Profile → Custom Category "ITIL-Sidekick-Targets".
3. Decryption Profile → Strip ALPN (HTTP/2 → HTTP/1.1).
4. Security Policy Rule → URL Filtering Profile: match header
   X-ITIL-Sidekick-Signature or X-ITIL-Probe-Auth → Action: Allow.

4 — Generic static probe-auth key (all other WAFs)

Generate a probe-auth key in your ITIL Sidekick monitor settings. Add one rule: allow requests where header X-ITIL-Probe-Auth equals your key. That key never changes until you rotate it — much safer than IP-based rules.

SOC / SIEM configuration — stopping false-positive alerts

Our probes are synthetic HTTP sweeps executed globally from Cloudflare PoPs. Without proper exclusion rules they will appear as scanning activity in your SIEM. Configure the following suppression rules to prevent alert fatigue:

Splunk Enterprise Security — Dynamic Alert Throttling & UEBA Exclusion

/* 6-hour throttling window on correlation searches */
| rex field="risk_message" "(?<risk_signature>.*) -.*"
| fields risk_object, risk_object_type, source_count, mitre_tactic_id_count

/* UEBA Finding Exclusion Rule */
Location: ES → Configuration → UEBA Configuration → Finding Exclusions
Match criteria:
  http_user_agent EXACTLY "ITIL-Sidekick-SyntheticProbe/2.0 (Security-Verified; Enterprise-Monitor; +https://itilsidekick.com/about/probe)"
Result: Drop from UEBA risk score — raw logs remain searchable for compliance.

Datadog Log Ingestion — Pipeline Exclusion Filter

-@http.user_agent:"ITIL-Sidekick-SyntheticProbe/2.0 (Security-Verified; Enterprise-Monitor; +https://itilsidekick.com/about/probe)"

Enterprise Security Config Reference

DomainPlatformMechanismKey Fields
Edge ProtectionCloudflare WAFCustom Skip RuleASN 13335, User-Agent, X-ITIL-Probe-Auth
App FirewallAWS WAFPriority-0 ALLOW RuleHeader byte match
Next-Gen FirewallPalo Alto NGFWSSL Forward Proxy + Header CheckDecrypt profile, URL category, ALPN strip
Endpoint / mTLSAny originClient certificate validationCloudflare mTLS binding (contact support)
Security OperationsSplunk SIEMDynamic throttling + UEBA exclusionhttp_user_agent match, risk_object grouping
ObservabilityDatadogLog pipeline exclusion filter@http.user_agent prefix match

How to block our probe

About ITIL Sidekick

ITIL Sidekick is a small, independent SaaS based in Ontario, Canada, hosted entirely on Cloudflare. See itilsidekick.com for the product page, Terms of Use, Privacy Policy, and Pricing.