Welcome #
- LetsDefend is a Blue Team Training platform.
- This writeup documents a SOC alert investigation into a false-positive command-injection alert.
Alert Details #
| Key | Value |
|---|---|
| EventID: | 117 |
| Event Time: | Feb, 27, 2022, 12:36 AM |
| Rule: | SOC167 - LS Command Detected in Requested URL |
| Level: | Security Analyst |
| Hostname: | EliotPRD |
| Destination IP Address: | 188.114.96.15 |
| Source IP Address: | 172.16.17.46 |
| HTTP Request Method: | GET |
| Requested URL: | https://letsdefend.io/blog/?s=skills |
| User-Agent: | Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0 |
| Alert Trigger Reason: | URL Contains LS |
| Device Action: | Allowed |
Initial Triage #
Actions: #
- Copied alert details to notes
- Created case
- Began analysis
Thoughts: #
“Judging purely off that URL, it looks like a false positive.”
Analysis #
Tools Used: #
IP: #
| Key | Value |
|---|---|
| VirusTotal: | 0/93 (CloudFlare) |
| Talos Intelligence: | Neutral (CloudFlare) |
| AbuseIPDB: | 7 Reports (CloudFlare Reverse Proxy) |
Thoughts: #
“LetsDefend probably just needed an IP for the alert…”
Log Analysis #
(Log majorly simplified for writeup brevity)
| Key | Value |
|---|---|
| Request URL 1: | https://letsdefend.io/blog/ |
| Request URL 2: | https://letsdefend.io/blog/how-to-become-a-soc-analyst/ |
| Request URL 3: | https://letsdefend.io/blog/how-to-analyze-rtf-template-injection-attacks/ |
| Request URL 4: | https://letsdefend.io/blog/red-team-vs-blue-team-learn-the-difference/ |
| Request URL 5: | https://letsdefend.io/blog/how-to-prepare-soc-analyst-resume/ |
| Request URL 6: | https://letsdefend.io/blog/?s=skills |
| Request URL 7: | https://letsdefend.io/blog/soc-analyst-career-without-a-degree/ |
Thoughts: #
“False positive, normal traffic. Alert tripped due to word ‘skills’ containing ’ls’.”
Determination #
Verdict: #
- False Positive
- Close Case
Reasoning: #
- Normal user traffic in SIEM logs.
- Alert triggered due to word “skills” containing “ls”
Playbook #
Questions: #
| Question | Answer |
|---|---|
| Is Traffic Malicious? | Non-malicious |
| Is There a Different Request/Traffic? | Yes |
| Is Traffic Malicious? | Non-malicious |
Notes: #
Verdict: False Positive.
Summary: Normal traffic. Alert tripped due to word ‘skills’ containing ’ls’.
Validated via: SIEM logs.
Actions taken: None.
Final Thoughts: #
“That alert rule should be tuned to not trigger on expected words…”
