This alert detects whenever IPs and URIs related to HackerOne are observed in the logs. HackerOne is a security platform that connects businesses with penetration testers and cybersecurity researchers. Impact If an attacker gained access to the HackerOne's vulnerabilities disclosure reports can exploit them before they are patched. This can cause damage to an organization's reputation eventually. Mitigation Check if the traffic is legitimate or not. If not, investigate it further. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert detects whenever HackerOne-related traffic is generated for the URIs belonging to the organization. HackerOne is a security platform that connects businesses with penetration testers and cybersecurity researchers. Impact If an attacker gained access to the HackerOne's vulnerabilities disclosure reports can exploit them before they are patched. This can cause damage to an organization's reputation eventually. Mitigation Check if the traffic is legitimate or not. If not, investigate it further. MITRE Tactic: TA0108 MITRE Technique: T0819

This alert detects whenever HackerOne-related traffic is generated from a public IP. HackerOne is a security platform that connects businesses with penetration testers and cybersecurity researchers. Impact If an attacker gained access to the HackerOne's vulnerabilities disclosure reports can exploit them before they are patched. This can cause damage to an organization's reputation eventually. Mitigation If the traffic is from a public IP address, check its legitimacy. If the traffic is not known investigate it further. Note: Please add the internal CIDR IP range to whitelist according to your requirement. MITRE Tactic: TA0108 MITRE Technique: T0819

This alert detects whenever 'x_bug_bounty' header is present in the logs. This custom HTTP header is used by the security researchers/bug bounty hunters in their research/findings report to the respective organization as part of HackerOne's bug bounty hunting programs. Impact An attacker if gained access to these vulnerabilities disclosure reports can exploit them before they are patched. This can cause damage to an organization. Mitigation Make sure that a user includes this HTTP header in the vulnerability disclosure requests so that it can be validated that the request is via HackerOne. If these reports are shared on a public forum before the vulnerabilities are patched, check this header to identify if the report was via HackerOne. If yes, investigate further. MITRE Tactic: TA0108 MITRE Technique: T0819

This alert detects whenever HackerOne-related traffic is generated from an IP that is not a trusted IP on the URIs belonging to the organization. HackerOne is a security platform that connects businesses with penetration testers and cybersecurity researchers. Impact If an attacker gained access to the HackerOne's vulnerabilities disclosure reports can exploit them before they are patched. This can cause damage to an organization's reputation eventually. Mitigation Check if the traffic is legitimate or not. If not, investigate it further. Note: Please add the internal CIDR IP range to whitelist according to your requirement. MITRE Tactic: TA0108 MITRE Technique: T0819

This alert detects when 5xx Downstream status code is present in the logs. This status code is generated when downstream validation fails. Below are different 5xx downstream status codes: 500 - Unable to complete the HTTP request downstream and the exception is not OperationCanceledException or HttpRequestException. 502 - Unable to connect to downstream service. 503 - The downstream request times out. Impact A large number of the 5xx requests can be an indicative of server failure for multiple reasons as stated above. Mitigation Investigate if high number of downstream error codes are generated and based on the error code generated, remediate accordingly. MITRE Tactic: TA0040 MITRE Technique: T1498