Alert#
1EventID : 117
2Event Time : Feb, 27, 2022, 12:36 AM
3Rule : SOC167 - LS Command Detected in Requested URL
4Level : Security Analyst
5Hostname : EliotPRD
6Destination IP Address : 188.114.96.15
7Source IP Address : 172.16.17.46
8HTTP Request Method : GET
9Requested URL : https://letsdefend.io/blog/?s=skills
10User-Agent : Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
11Alert Trigger Reason : URL Contains LS
12Device Action : AllowedIdentification#
Is the traffic coming from outside?#
The source IP 172.16.17.46 is an internal address. The destination 188.114.96.15 resolves to letsdefend.io - a legitimate external platform. Traffic direction is Company Network to Internet.
Is the source malicious?#
The source is an internal host. The destination is a known legitimate platform.
What type of attack was attempted?#
No attack was attempted. The alert triggered because the detection rule matched the string ls within the word ski**ls** in the search query ?s=skills. This is a false positive caused by a substring match - the rule lacks context to distinguish the ls Linux command from the same character sequence appearing inside a legitimate word. The request is a standard blog search on letsdefend.io.
Triage Decision#
False Positive. The URL https://letsdefend.io/blog/?s=skills is a legitimate search request from an internal user to an external platform. The string ls is a substring of skills and does not represent a command injection attempt. No malicious traffic was identified.
IOCs#
None.