Goal

Detect HTTP requests containing path traversal sequences in the URL path or query string, including when the response is successful.

Strategy

This rule monitors OCSF HTTP requests for encoded and plain parent-directory traversal patterns, grouped by @ocsf.src_endpoint.ip.

Triage and response

• Review whether traversal attempts reached sensitive files or APIs and whether responses leaked content.
• If activity is malicious and unauthorized, consider blocking or rate limiting {{@ocsf.src_endpoint.ip}} and follow your incident response process.