https://community.splunk.com/t5/Security/Search-to-detect-XSS-attacks/m-p/572812#M15682 <P>Hello,</P><P>I have made a search/query to detect the attacks of XSS the problem I have is that it also shows valid requests because there are words (cookie, script) that also appear as invalid requests</P><P>¿How could I filter so that it only shows the attacks?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">search "&lt;script&gt;" OR "&lt;/script&gt;" OR "&amp;#" OR "script" OR "`" OR "cookie" OR "alert" OR "%00"| append [ datamodel Web search | where like(uri,"http:/%") OR like(uri,"*javascript*") OR like(uri,"*vbscript*") OR like(uri,"*applet*") OR like(uri," *script*") OR like(uri,"*frame*")</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 28 Oct 2021 12:12:09 GMT JB2021 2021-10-28T12:12:09Z https://community.splunk.com/t5/Security/Search-to-detect-XSS-attacks/m-p/572812#M15682 <P>Hello,</P><P>I have made a search/query to detect the attacks of XSS the problem I have is that it also shows valid requests because there are words (cookie, script) that also appear as invalid requests</P><P>¿How could I filter so that it only shows the attacks?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">search "&lt;script&gt;" OR "&lt;/script&gt;" OR "&amp;#" OR "script" OR "`" OR "cookie" OR "alert" OR "%00"| append [ datamodel Web search | where like(uri,"http:/%") OR like(uri,"*javascript*") OR like(uri,"*vbscript*") OR like(uri,"*applet*") OR like(uri," *script*") OR like(uri,"*frame*")</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 28 Oct 2021 12:12:09 GMT https://community.splunk.com/t5/Security/Search-to-detect-XSS-attacks/m-p/572812#M15682 JB2021 2021-10-28T12:12:09Z