F5Telemetry_ASM_CL
| where RequestStatus == "passed"
| where ResponseCode startswith "2"
| where SourceIP !startswith "3.31.100"
| where SourceIP !startswith "10.84"
| where
Request contains "////etc/passwd"
or Request contains "/%E3%80%B1oast.me"
or (Request has "GET" and Request contains "/../")
or (Request has "POST" and Request contains @"(java")
threat hunting came back clean. I’ve put together an optimized version of the rule that keeps your exact detection logic but separates the filters into individual where clauses for better stability and maintainability. It also makes future updates easier to manage. Let me know if you’re comfortable replacing the current rule with this optimized version.
Want to Be a SOC Analyst or Threat Hunter? Part 6
🎯 New here? Make sure you check out the Intro, Part 1, Part 2 , Part 3,
