Logpresso raises alerts after re-validating WAPPLES events that were processed in DETECT mode, alerting only when the payload indicates a confirmed high-risk exploit.

Query

This query selects WAPPLES alert logs with action DETECT and an HTTP request payload, applies the ml-scan-http-request command in Logpresso, and raises an alert only when the verdict is attack for critical threats (XSS, SQL injection, command injection, XXE).

| search _schema == "attack" and action == "DETECT" and signature != "Invalid HTTP" and isnotnull(http_req_headers) 
| rename http_req_headers as raw_data
| ml-scan-http-request  
| search verdict == "attack" and match(tags, "(?:#xss|#sql_injection|#command_injection|#xxe_injection)(?=\\s|$)")
| lookup geoip src_ip output country as src_country, asn as src_asn

Message

• WAPPLES High-Risk Web Attack Detected: $src_ip ($src_asn) -> $vhost ($tags)

Output Field Order

• _log_time, risk, src_ip, vhost, tags, decoded_strings, highlights, signature, action, reason, raw_data

Threat Analysis

• A web application firewall must immediately block high-risk web attacks. However, in practice, many rules are operated in detection mode because blocking legitimate users due to false positives can cause service disruptions. This operation mode prioritizes service availability but assumes the security team will promptly validate the attack and block the attacker’s IP address. If analysis and response are delayed, the risk becomes significant.
• In particular, reviewing decisions by the Personal Information Protection Commission shows that even if security equipment is deployed, operating it in detection mode is not considered sufficient to fulfill the duty of protective measures, and negligence is not exempted.

False Positive Types

• The ml-scan-http-request command classifies true/false positives based on a machine learning model. Thus, there is a possibility that legitimate HTTP requests are mistakenly classified as attacks. For clear false-positive patterns, add exception conditions to the detection rule so that identical alerts are not repeatedly generated.

Response Plan

• This detection scenario automatically validates HTTP request payloads and only raises alerts when they are confirmed as real high-risk attacks. Security staff must review the attack details and promptly block the attacker’s IP address.
• Verify whether the attack targeted an actual application vulnerability by comparing it with HTTP request data. If the attack may have succeeded, further investigate whether a web shell was installed or other anomalies occurred on the web server.
• If the attacker attempted to exploit an actual vulnerability, patch the affected network services and applications to ensure the same attack cannot succeed again.

MITRE ATT&CK

• Tactic

  • Initial Access

• Technique

  • Name: Exploit Public-Facing Application
  • ID: T1190
  • Reference URL: https://attack.mitre.org/techniques/T1190/

References

• https://logpresso.store/en/apps/ml-rules/commands/ml-scan-http-request