Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query searches web proxy logs for a specific type of beaconing behavior by joining a number of sources together: - Traffic by actual web browsers - by looking at traffic generated by a UserAgent that looks like a browser and is used by multiple users to visit a large number of domains. - Users that make requests using one of these actual browsers, but only to a small set of domains, none of which are common domains. - The traffic is beacon-like; meaning that it occurs during many different
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | FalconFriday |
| ID | 6345c923-99eb-4a83-b11d-7af0ffa75577 |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | CommandAndControl |
| Techniques | T1071.001 |
| Required Connectors | Zscaler |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
CommonSecurityLog |
DeviceProduct == "NSSWeblog"DeviceVendor == "Zscaler" |
✓ | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊