This time we have a quick alert (oops, did I already give away the final answer?) to check out, so without any further ado, let’s get defending.
Understand Why the Alert Was Triggered
The SIEM alert tells us that someone made a request to the URL https://letsdefend.io/blog/?s=skills, and this URL matches the rule “URL Contains LS”, indicating possible command injection. Looking at the URL alone spidey-sense starts tingling, but in order to make sure we need to look deeper into the event.
Collect Data
The source IP is a host in the local network, and checking out the IP of the destination (188.114.96.15) we can figure out that it’s the LetsDefend blog that’s being accessed.
Examine HTTP Traffic
Looking at the Log Management we find few other requested URL from the blog as well, and so far everything seems to be in order. All the requests are directed either towards legitimate blog posts, or like in the case of our alert, the search function on the site.
Is the Traffic Malicious?
We are unable to spot anything that would indicate malicious traffic in any way, and all the other requests from the local host appear to be legitimate.
Is There a Different Request/Traffic?
There are other requests made from the local host to the destination IP, but all the requests look like regular web browsing, accessing the blog and making a search for the term “skills”. With this we’re able to conclude that the problem here is that our SIEM considered the LS part in the search term skills to be a command, possibly since it’s part of the URL parameter, whereas in reality it’s just a harmless web search.
Analyst Note
SIEM false positive with requested URL “https://letsdefend.io/blog/?s=skills”. All other traffic looks legitimate, no cause for concern.