Field Value Event ID 120 Event Time Mar 01, 2022, 10:10 AM Rule SOC170 – Passwd Found in Requested URL – Possible LFI Attack Analyst Level Security Analyst Hostname WebServer1006 Destination IP Address 172.16.17.13 Source IP Address 106.55.45.162 HTTP Request Method GET Requested URL https://172.16.17.13/?file=../../../../etc/passwd User-Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Alert Trigger Reason URL contains passwd Device Action Allowed Play Book 1. Alert Overview A web attack alert was triggered on WebServer1006 due to the detection of a directory traversal payload attempting to access the sensitive system file /etc/passwd via an HTTP GET request.