03-03-2025 08:52 PM
Hello Folks,
I am looking for a ways to detect the attempt for this vulnerability through SIEM. Based on the blogs available the vulnerability can be exploited by accessing URL with "unauth" on management interface. So I am thinking to look for web interface access logs with keyword "unauth". However, I would like your help to get below details.
1. Which log will provide management IP address?
2. Whenever a user accesses the management IP through web, which type of logs will provides access log? (traffic, config, system etc.)
3. Which type of log will give full URL when user access web interface.
Feel free to guide my any resource that provide this information.
Thanks in advance.
Regards,
Ameer Mane
03-05-2025 07:55 PM
Hi @ameermane ,
You can check the system logs and query for ( eventid eq 'auth-fail' ) or for all logs related to auth ( subtype eq 'auth' )
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
