No Escalation

LD-Passwd Found in Requested URL - Possible LFI Attack

April 2, 2026

SOC SIEM EDR Log Analysis Web Attack LFI Path Traversal No Escalation True Positive AbuseIPDB VirusTotal

An external Tencent Cloud IP sent a single LFI request targeting /etc/passwd via path traversal. The server returned HTTP 500 with an empty response body, confirming the attack did not succeed.

LD-LS Command Detected in Requested URL

April 2, 2026

SOC SIEM EDR Log Analysis False Positive No Escalation

Alert triggered on the string ’ls’ found in a legitimate search query parameter. The traffic originated from an internal IP to letsdefend.io and contains no malicious payload. False positive - rule lacks context awareness for partial string matches.

LD-Javascript Code Detected in Requested URL

April 2, 2026

SOC SIEM EDR Log Analysis Web Attack XSS Injection No Escalation True Positive AbuseIPDB VirusTotal

An external IP performed XSS reconnaissance against the /search/ endpoint, cycling through multiple injection payloads. All requests except the first returned HTTP 302, indicating server-side sanitization blocked execution. The attack did not succeed.

LD-Possible SQL Injection Payload Detected

March 22, 2026

SOC SIEM EDR Log Analysis Web Attack SQL Injection No Escalation True Positive AbuseIPDB VirusTotal

An external IP hosted on DigitalOcean performed a manual SQL injection reconnaissance against an internal web server, cycling through classic SQLi payloads. All requests returned HTTP 500, confirming the attack did not succeed.

↑