Suspicious HTTP parameters detected

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2025-12-08
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: Palo Alto Networks Platform Logs OR XDR Agent
Detection Modules
Detector Tags
ATT&CK Tactic	Initial Access (TA0001) Persistence (TA0003)
ATT&CK Technique	External Remote Services (T1133) Server Software Component: Web Shell (T1505.003)
Severity	Medium

Description

The endpoint received suspicious HTTP parameters via an HTTP request, which may indicate attempts to exploit server components or web shell activity.

Attacker's Goals

Attackers may exploit server components or misconfigurations to access arbitrary sensitive files on the web server.

Investigative actions

Inspect the legitimacy of the URI path and the parameters values sent to the server.
Ensure that the rare URI is not a legitimate result of routine development actions on the web server.