LetsDefend level 1 alert SOC102 - Proxy - Suspicious URL Detected event-id 66
Details
EventID: 66
Event Time: Feb. 22, 2021, 8:36 p.m.
Rule: SOC102 - Proxy - Suspicious URL Detected
Level: Security Analyst
Source Address 172.16.17.150
Source Hostname ChanProd
Destination Address 35.173.160.135
Destination Hostname threatpost[.]com
Username Chan
Request URL https[:]//threatpost[.]com/malformed-url-prefix-phishing-attacks-spike-6000/164132/
User Agent Mozilla - Windows
Device Action Allowed
playbook
Collection Data
- Source Address
172.16.17.150 - Destination Address
35.173.160.135
VirusTotal: https://www.virustotal.com/gui/ip-address/35.173.160.135/detection - User-Agent
Mozilla - Windows
一応チェックしたが、通常通りのニュースサイトthreatpost[.]comである。
Search Log
アクセスは一件のみ。
| # | DATE | TYPE | SOURCE ADDRESS | SOURCE PORT | DESTINATION ADDRESS | DESTINATION PORT |
|---|---|---|---|---|---|---|
| 365 | Feb, 22, 2021, 08:36 PM | Proxy | 172.16.17.150 | 48684 | 35.173.160.135 | 443 |
Raw Log Request URL: https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/ Request Method: GET Device Action: Allowed Process: chrome.exe Parent Process: explorer.exe Parent Process MD5: 8b88ebbb05a0e56b7dcc708498c02b3e
アクセス先のページは現在公開されていないようだ。
Analyze URL Address
今回の件に関係するものでMaliciousとなるものは無い。
Answer: Non-malicious
Add Artifacts
| Value | Type | Comment |
|---|---|---|
| 35.173.160.135 | IP address | threatpost[.]com |
| https[:]//threatpost[.]com/malformed-url-prefix-phishing-attacks-spike-6000/164132/ | URL Address | security news site |
End
