LoFP LoFP / legitimate use of telegram bots in the company

Techniques

Sample rules

Telegram API Access

Description

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Detection logic

condition: selection and not filter
filter:
  c-useragent|contains:
  - Telegram
  - Bot
selection:
  cs-host: api.telegram.org

Telegram Bot API Request

Description

Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind

Detection logic

condition: selection
selection:
  query: api.telegram.org