Rules: Web Request to Punycode Domain
This rule detects web requests to domains that include punycode characters, which is a common phishing technique used to mimic the appearance of a legitimate domain.
Detail | Value |
---|---|
Type | Templated Match |
Category | Unknown/Other |
Apply Risk to Entities | srcDevice_ip |
Signal Name | Web Request to Punycode Domain |
Summary Expression | Source IP {{srcDevice_ip}} was observed visiting a domain containing punycode characters. |
Score/Severity | Static: 5 |
Enabled by Default | True |
Prototype | False |
Tags | _mitreAttackTactic:TA0011, _mitreAttackTechnique:T1071, _mitreAttackTechnique:T1071.001 |
- Bro - Bro
- CheckPoint - URL Filtering
- Cisco Systems - Meraki
- Forcepoint - Web Security
- Fortinet - Fortigate
- Palo Alto Networks - Next Generation Firewall
- Symantec - Proxy Secure Gateway
- Zscaler - Firewall
- Zscaler - Nanolog Streaming Service
Origin | Field |
---|---|
Normalized Schema | dstDevice_ip_isInternal |
Normalized Schema | http_method |
Normalized Schema | http_url_fqdn |
Normalized Schema | listMatches |
Normalized Schema | srcDevice_ip |
Normalized Schema | srcDevice_ip_isInternal |