Vendor: F5
June 14, 2023 · View on GitHub
Product: WebSafe
Use-Case: Lateral Movement
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 10 | 0 | 3 | 2 | 2 |
| Event Type | Rules | Models |
|---|---|---|
| web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site T1090.003 - Proxy: Multi-hop Proxy ↳ A-NET-TOR-Outbound: Outbound connection to a known TOR IP ↳ A-WEB-TorProxy: Asset has accessed a known Tor web proxy ↳ A-WEB-UU-Tor: Asset has accessed a URL containing '/tor/server' ↳ WEB-UD-TorProxy: User has accessed a known Tor web proxy ↳ WEB-UI-Tor: User has accessed a known Tor exit node ↳ WEB-UU-Tor: User has accessed a URL containing '/tor/server' ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site T1190 - Exploit Public Fasing Application ↳ A-NET-Log4j-IP: Asset was accessed by an external IP associated with Log4j exploit | |
| web-activity-denied | T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site T1090.003 - Proxy: Multi-hop Proxy ↳ A-NETF-TOR-Outbound: Outbound failed connection to a known TOR IP ↳ A-WEB-TorProxy: Asset has accessed a known Tor web proxy ↳ A-WEB-UU-Tor: Asset has accessed a URL containing '/tor/server' ↳ WEB-UD-TorProxy: User has accessed a known Tor web proxy ↳ WEB-UI-Tor: User has accessed a known Tor exit node ↳ WEB-UU-Tor: User has accessed a URL containing '/tor/server' ↳ WEB-URank-Tor: User has accessed a tor-to-web proxy site T1190 - Exploit Public Fasing Application ↳ A-NETF-Log4j-IP: There was a failed attempt to access this asset by an external IP associated with Log4j exploit |