Rules: Telegram API Access
Detects suspicious requests to Telegram API without the usual Telegram User-Agent
Detail | Value |
---|---|
Type | Templated Match |
Category | Unknown/Other |
Apply Risk to Entities | srcDevice_hostname, device_hostname, device_ip, srcDevice_ip, user_username |
Signal Name | Telegram API Access |
Summary Expression | Observed Telegram API access from non-Telegram user agent from IP: {{srcDevice_ip}} |
Score/Severity | Static: 4 |
Enabled by Default | True |
Prototype | False |
Tags | _mitreAttackTactic:TA0005, _mitreAttackTactic:TA0002, _mitreAttackTactic:TA0011, _mitreAttackTechnique:T1071, _mitreAttackTechnique:T1071.001, _mitreAttackTechnique:T1106, _mitreAttackTechnique:T1102, _mitreAttackTechnique:T1102.002 |
- Amazon AWS - Route53
- Bro - Bro
- Cisco Systems - Umbrella
- Fortinet - Fortigate
- Infoblox - Network Identity Operating System
- Microsoft - DNS
- Microsoft - Windows
- Sophos - UTM 9
Origin | Field |
---|---|
Normalized Schema | device_hostname |
Normalized Schema | device_ip |
Normalized Schema | dns_query |
Normalized Schema | dns_queryDomain |
Normalized Schema | srcDevice_hostname |
Normalized Schema | srcDevice_ip |
Normalized Schema | user_username |