Moving on in the list of automated activity, there are two http_inspect messages: IIS UNICODE CODEPOINT ENCODING and OVERSIZE REQUEST-URI DIRECTORY. The former alert triggers on unicode encoded characters embedded in HTTP requests. The latter indicates an overly long directory name in a URL. The machines triggering these events are a subset of the ones triggering the (http_inspect) BARE BYTE UNICODE ENCODING event. This traffic might be related to it. It turned out that some of the offending payload was from the Cookie: entries in the HTTP headers. These entries seem to be huge and unicode encoded. Hence, probably a false positive! What is a little strange however, is the regularity in which these packets show up.