Rules: Web Request to Punycode Domain

Description

This rule detects web requests to domains that include punycode characters, which is a common phishing technique used to mimic the appearance of a legitimate domain.

Additional Details

Detail	Value
Type	Templated Match
Category	Unknown/Other
Apply Risk to Entities	srcDevice_ip
Signal Name	Web Request to Punycode Domain
Summary Expression	Source IP {{srcDevice_ip}} was observed visiting a domain containing punycode characters.
Score/Severity	Static: 5
Enabled by Default	True
Prototype	False
Tags	_mitreAttackTactic:TA0011, _mitreAttackTechnique:T1071, _mitreAttackTechnique:T1071.001

Vendors and Products

Bro - Bro
CheckPoint - URL Filtering
Cisco Systems - Meraki
Forcepoint - Web Security
Fortinet - Fortigate
Palo Alto Networks - Next Generation Firewall
Symantec - Proxy Secure Gateway
Zscaler - Firewall
Zscaler - Nanolog Streaming Service

Fields Used

Origin	Field
Normalized Schema	dstDevice_ip_isInternal
Normalized Schema	http_method
Normalized Schema	http_url_fqdn
Normalized Schema	listMatches
Normalized Schema	srcDevice_ip
Normalized Schema	srcDevice_ip_isInternal

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

MATCH-S00566.md

MATCH-S00566.md

Rules: Web Request to Punycode Domain

Description

Additional Details

Vendors and Products

Fields Used

Files

MATCH-S00566.md

Latest commit

History

MATCH-S00566.md

File metadata and controls

Rules: Web Request to Punycode Domain

Description

Additional Details

Vendors and Products

Fields Used