From 9ab5e6a7e1c5e65f6623a032149410e3ced1470e Mon Sep 17 00:00:00 2001 From: ljstella Date: Wed, 27 Nov 2024 12:34:16 -0600 Subject: [PATCH] web: cleanup TBD messages --- ...detect_attackers_scanning_for_vulnerable_jboss_servers.yml | 2 +- detections/web/detect_f5_tmui_rce_cve_2020_5902.yml | 2 +- .../detect_malicious_requests_to_exploit_jboss_servers.yml | 4 ++-- detections/web/monitor_web_traffic_for_brand_abuse.yml | 2 +- detections/web/supernova_webshell.yml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml index b2e50dfe3f..3568c81e25 100644 --- a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml +++ b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml @@ -25,7 +25,7 @@ known_false_positives: It's possible for legitimate HTTP requests to be made to containing the suspicious paths. references: [] rba: - message: tbd + message: Potential Scanning for Vulnerable JBoss Servers risk_objects: - field: dest type: system diff --git a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml index 6d4987441f..2ba2e7105c 100644 --- a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml +++ b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml @@ -27,7 +27,7 @@ references: - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/ - https://support.f5.com/csp/article/K52145254 rba: - message: tbd + message: Potential F5 TMUI RCE traffic risk_objects: - field: dest type: system diff --git a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml index cc2f62d669..5872bf9c85 100644 --- a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml +++ b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml @@ -26,9 +26,9 @@ how_to_implement: You must ingest data from the web server or capture network da known_false_positives: No known false positives for this detection. references: [] rba: - message: tbd + message: Potentially malicious traffic exploiting JBoss servers risk_objects: - - field: dest + - field: dest_ip type: system score: 25 threat_objects: [] diff --git a/detections/web/monitor_web_traffic_for_brand_abuse.yml b/detections/web/monitor_web_traffic_for_brand_abuse.yml index 52f276ba50..b757feeffb 100644 --- a/detections/web/monitor_web_traffic_for_brand_abuse.yml +++ b/detections/web/monitor_web_traffic_for_brand_abuse.yml @@ -24,7 +24,7 @@ how_to_implement: You need to ingest data from your web traffic. This can be acc known_false_positives: None at this time references: [] rba: - message: tbd + message: Potential Brand Abus discovered in web logs risk_objects: - field: src type: system diff --git a/detections/web/supernova_webshell.yml b/detections/web/supernova_webshell.yml index ff2fc94876..00da348fae 100644 --- a/detections/web/supernova_webshell.yml +++ b/detections/web/supernova_webshell.yml @@ -29,7 +29,7 @@ references: - https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html - https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis/ rba: - message: tbd + message: Potential Supernova Webshell on $dest$ risk_objects: - field: user type: user