MATCH-S00595.md

Rules: Telegram API Access

Description

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Additional Details

Detail	Value
Type	Templated Match
Category	Unknown/Other
Apply Risk to Entities	srcDevice_hostname, device_hostname, device_ip, srcDevice_ip, user_username
Signal Name	Telegram API Access
Summary Expression	Observed Telegram API access from non-Telegram user agent from IP: {{srcDevice_ip}}
Score/Severity	Static: 4
Enabled by Default	True
Prototype	False
Tags	_mitreAttackTactic:TA0005, _mitreAttackTactic:TA0002, _mitreAttackTactic:TA0011, _mitreAttackTechnique:T1071, _mitreAttackTechnique:T1071.001, _mitreAttackTechnique:T1106, _mitreAttackTechnique:T1102, _mitreAttackTechnique:T1102.002

Vendors and Products

• Amazon AWS - Route53
• Bro - Bro
• Cisco Systems - Umbrella
• Fortinet - Fortigate
• Infoblox - Network Identity Operating System
• Microsoft - DNS
• Microsoft - Windows
• Sophos - UTM 9

Fields Used

Origin	Field
Normalized Schema	device_hostname
Normalized Schema	device_ip
Normalized Schema	dns_query
Normalized Schema	dns_queryDomain
Normalized Schema	srcDevice_hostname
Normalized Schema	srcDevice_ip
Normalized Schema	user_username