What is the ITIL-Sidekick-Monitor probe?
You found this page because you saw ITIL-Sidekick-Monitor/1.0 in your server
logs or your WAF flagged it. Here's the short version:
ITIL Sidekick is a service-availability monitoring tool. Someone — almost certainly a customer of yours, a colleague, or your own team — has configured it to probe a URL on your site to check whether the service is responding. We hit the URL roughly every minute from Cloudflare's edge network.
What our probe does
- Sends one HTTP
GETrequest per check, every 60 seconds. - Follows up to 5 HTTP redirects.
- Reads at most the first 512 bytes of the response body.
- Records the HTTP status code, response time, redirect chain, headers, and TLS metadata.
- Does not log in, post forms, scrape content, or execute JavaScript.
- Honours
Retry-Afterheaders — if you respond with 429 + Retry-After, we back off for that duration.
How to recognise our probe
| Header | Value |
|---|---|
User-Agent | ITIL-Sidekick-SyntheticProbe/2.0 (Security-Verified; Enterprise-Monitor; +https://itilsidekick.com/about/probe) |
X-ITIL-Probe-Auth | Per-monitor static key for WAF allowlisting (optional, backward-compat). |
X-ITIL-Sidekick-Signature | Short-lived HS256 JWT for cryptographic validation (Pro+ — see below). |
| Origin ASN | AS13335 (Cloudflare) — use ASN-based allowlisting instead of IP ranges. |
| Origin IPs | Dynamic Cloudflare PoP IPs — see cloudflare.com/ips. |
JWT Signature header (enterprise validation)
When a Pro+ monitor has a JWT probe secret configured, every probe carries an
X-ITIL-Sidekick-Signature header containing an HS256-signed JWT. Your WAF or
origin gateway can validate this token cryptographically — no IP allowlisting needed.
Token claims:
| Claim | Value |
|---|---|
iss | itil-sidekick-edge-compute |
sub | <user_id>:<monitor_id> — tenant identifier |
iat | Unix epoch of issue |
exp | iat + 300 — valid 5 minutes, prevents replay attacks |
How to allow our probe through your WAF
1 — Cloudflare WAF (Custom Skip Rule)
(ip.geoip.asnum eq 13335 and http.user_agent contains "ITIL-Sidekick-SyntheticProbe/2.0" and any(http.request.headers["x-itil-probe-auth"][*] eq "<your-probe-auth-key>")) Action: Skip — All remaining custom rules + Bot Fight Mode
2 — AWS WAF (Web ACL ALLOW rule, priority 0)
Rule name: Allow-ITIL-Sidekick-SyntheticProbes AndStatement: - ByteMatchStatement: User-Agent CONTAINS "ITIL-Sidekick-SyntheticProbe" - ByteMatchStatement: Header "x-itil-probe-auth" EXACTLY "<your-probe-auth-key>" Action: ALLOW
3 — Palo Alto NGFW (SSL Forward Proxy + Header Match)
1. SSL Decryption Policy → SSL Forward Proxy for traffic from AS13335. 2. URL Filtering Profile → Custom Category "ITIL-Sidekick-Targets". 3. Decryption Profile → Strip ALPN (HTTP/2 → HTTP/1.1). 4. Security Policy Rule → URL Filtering Profile: match header X-ITIL-Sidekick-Signature or X-ITIL-Probe-Auth → Action: Allow.
4 — Generic static probe-auth key (all other WAFs)
Generate a probe-auth key in your ITIL Sidekick monitor settings. Add one rule: allow
requests where header X-ITIL-Probe-Auth equals your key. That key never
changes until you rotate it — much safer than IP-based rules.
SOC / SIEM configuration — stopping false-positive alerts
Our probes are synthetic HTTP sweeps executed globally from Cloudflare PoPs. Without proper exclusion rules they will appear as scanning activity in your SIEM. Configure the following suppression rules to prevent alert fatigue:
Splunk Enterprise Security — Dynamic Alert Throttling & UEBA Exclusion
/* 6-hour throttling window on correlation searches */ | rex field="risk_message" "(?<risk_signature>.*) -.*" | fields risk_object, risk_object_type, source_count, mitre_tactic_id_count /* UEBA Finding Exclusion Rule */ Location: ES → Configuration → UEBA Configuration → Finding Exclusions Match criteria: http_user_agent EXACTLY "ITIL-Sidekick-SyntheticProbe/2.0 (Security-Verified; Enterprise-Monitor; +https://itilsidekick.com/about/probe)" Result: Drop from UEBA risk score — raw logs remain searchable for compliance.
Datadog Log Ingestion — Pipeline Exclusion Filter
-@http.user_agent:"ITIL-Sidekick-SyntheticProbe/2.0 (Security-Verified; Enterprise-Monitor; +https://itilsidekick.com/about/probe)"
Enterprise Security Config Reference
| Domain | Platform | Mechanism | Key Fields |
|---|---|---|---|
| Edge Protection | Cloudflare WAF | Custom Skip Rule | ASN 13335, User-Agent, X-ITIL-Probe-Auth |
| App Firewall | AWS WAF | Priority-0 ALLOW Rule | Header byte match |
| Next-Gen Firewall | Palo Alto NGFW | SSL Forward Proxy + Header Check | Decrypt profile, URL category, ALPN strip |
| Endpoint / mTLS | Any origin | Client certificate validation | Cloudflare mTLS binding (contact support) |
| Security Operations | Splunk SIEM | Dynamic throttling + UEBA exclusion | http_user_agent match, risk_object grouping |
| Observability | Datadog | Log pipeline exclusion filter | @http.user_agent prefix match |
How to block our probe
- Ask your team. Someone configured this monitor — they can disable it in the ITIL Sidekick dashboard.
- Block by User-Agent. Block requests where
User-AgentcontainsITIL-Sidekick-SyntheticProbe. Our probe Worker detects a sustained 403 as "blocked" and auto-pauses to once per hour, then auto-resumes when the block clears. - Email us. contact@vibeprosoft.com — include the URL being probed and we'll trace it to the customer account.
About ITIL Sidekick
ITIL Sidekick is a small, independent SaaS based in Ontario, Canada, hosted entirely on Cloudflare. See itilsidekick.com for the product page, Terms of Use, Privacy Policy, and Pricing.