Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
2 Hours |
Deduplication Period |
1 Day |
Required Data |
- Requires one of the following data sources:
- Palo Alto Networks Platform Logs
OR - XDR Agent
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Uncommon HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.
Attacker's Goals
Data exfiltration, attack tool staging or command and control channel through a trusted service.
Investigative actions
- Examine the legitimacy of the application that produced this uncommon connection.
- Examine the parent process of this application.
- Check for anomalies at the time when the communication occurred.
Variations
HTTP with suspicious characteristics which is repetitive
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Repetitevne HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.
Attacker's Goals
Data exfiltration, attack tool staging or command and control channel through a trusted service.
Investigative actions
- Examine the legitimacy of the application that produced this uncommon connection.
- Examine the parent process of this application.
- Check for anomalies at the time when the communication occurred.
HTTP with suspicious characteristics to an IP address
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Uncommon HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities.
Attacker's Goals
Data exfiltration, attack tool staging or command and control channel through a trusted service.
Investigative actions
- Examine the legitimacy of the application that produced this uncommon connection.
- Examine the parent process of this application.
- Check for anomalies at the time when the communication occurred.
HTTP with suspicious characteristics that always fails
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
Unsuccessful HTTP communication to IP address was performed by the host that might indicate its attempt to hide malicious activities.
Attacker's Goals
Data exfiltration, attack tool staging or command and control channel through a trusted service.
Investigative actions
- Examine the legitimacy of the application that produced this uncommon connection.
- Examine the parent process of this application.
- Check for anomalies at the time when the communication occurred.