Rules: Spike in URL Length from IP Address
Observes for an outlier in URL length sourcing from an IP Address based on a daily standard deviation using a designated historic baseline of what has been previously observed for said IP Address. This type of anomaly can linked with web based execution of Command and Control. The minimum URL length expected by default is set to 128 characters.
| Detail | Value |
|---|---|
| Type | Outlier |
| Category | Command and Control |
| Apply Risk to Entities | srcDevice_ip |
| Signal Name | Spike in URL Length from IP Address: {{srcDevice_ip}} |
| Summary Expression | Excessive URL length identified for IP Address: {{srcDevice_ip}} based on daily historic activity |
| Retention Window | 7776000000 |
| Baseline Window | 1296000000 |
| Standard Deviation Threshold | 3 |
| Floor Value | 128 |
| Score/Severity | Static: 2 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0011, _mitreAttackTechnique:T1102 |
- Akamai - SIEM
- Amazon AWS - Application Load Balancer
- Amazon AWS - CloudFront
- Amazon AWS - EKS
- Amazon AWS - Elastic Load Balancer
- Amazon AWS - Web Application Firewall (WAF)
- Bro - Bro
- Cisco Systems - Ironport
- Cisco Systems - Meraki
- Cisco Systems - Umbrella
- Forcepoint - Web Security
- Fortinet - Fortigate
- Google - Google Cloud Platform
- Imperva - Imperva Incapsula
- McAfee - Web Gateway
- Microsoft - Azure
- Microsoft - IIS
- Netskope - Security Cloud
- Sophos - UTM 9
- Squid - Squid Proxy
- Symantec - Web Security Service
- Zscaler - Firewall
- Zscaler - Nanolog Streaming Service
| Origin | Field |
|---|---|
| Normalized Schema | http_url |
| Normalized Schema | http_userAgent |
| Normalized Schema | isEmpty |
| Normalized Schema | listMatches |
| Normalized Schema | objectType |
| Normalized Schema | srcDevice_ip |