TRACING ATTACK CHAIN

BY IP

Once a potentially malicious IP has been identified

SPLUNK> Search & Reporting
 SPL: sourcetype=web_traffic client_ip="<REDACTED>" AND path IN ("/.env", "/*phpinfo*", "/.git*") | table _time, path, user_agent, status
 DTG: All time
 TAB: Statistics
 
 * multiple 404/403/401 status codes could mean potentially malicious activities
   from an automated tool
PreviousUSER AGENTSNextPATH TRAVERSAL

Last updated