Detectionhightest

OpenCanary - HTTP POST Login Attempt

Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Security Onion SolutionsCreated Fri Mar 08af1ac430-df6b-4b38-b976-0b52f07a0252application

Log Source

opencanaryapplication

Productopencanary← raw: opencanary

Categoryapplication← raw: application

Detection Logic

detection:
    selection:
        logtype: 3001
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

af1ac430-df6b-4b38-b976-0b52f07a0252

Status

test

Level

high

Type

Detection

Created

Fri Mar 08

Author

Path

rules/application/opencanary/opencanary_http_post_login_attempt.yml

Raw Tags

attack.initial-accessattack.t1190