LoFP LoFP / legitimate use of telegram bots in the company

Techniques

Sample rules

Telegram Bot API Request

Description

Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind

Detection logic

condition: selection
selection:
  query: api.telegram.org

Telegram API Access

Description

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Detection logic

condition: selection and not filter
filter:
  c-useragent|contains:
  - Telegram
  - Bot
selection:
  cs-host: api.telegram.org