LoFP
/
web application
Title
Tags
false positives may vary based on cisco ai defense configuration; monitor and filter out the alerts that are not relevant to your environment.
web application
splunk
false positives should be limited, however tune or filter as needed.
t1190
web application
splunk
legitimate new account creation by authorized administrators will generate similar log entries. however, those should include proper authentication details. verify any detected events against expected administrative activities and authorized user lists.
t1190
web application
splunk
limited false positives should occur as this pattern is highly specific to cve-2025-24813 exploitation. however, legitimate application errors that use similar cookie patterns and result in 500 status codes might trigger false positives. review the jsessionid cookie format and the associated request context to confirm exploitation attempts.
t1190
t1505.003
web application
splunk
no known false positives for this detection. if the alerts are noisy, consider tuning this detection by using the _filter macro in this search, and/or updating the tool this alert originates from.
web application
splunk
some legitimate applications might use put requests to create .session files, especially in custom implementations that leverage tomcat's session persistence mechanism. verify if the detected activity is part of a normal application flow or if it correlates with other suspicious behavior, such as subsequent get requests with manipulated jsessionid cookies.
t1190
t1505.003
web application
splunk