cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
DV_BB
Level 7
Report Inappropriate Content
Message 1 of 5

HTTP Request Payload.txt Alerts?

Jump to solution

Hello,

We recently deployed McAfee DLP to a large number of our endpoints and are starting to adjust the policies.  Something we've noticed a lot of, are alerts that have an evidence name of; "HTTP Request Payload.txt".

When we review the alert, it indicates that there is corresponding data such as credit cards, etc.  My question is, are these typically noise and if not, is there a best practice to help adjust it accordingly?  Thanks in advance

1 Solution

Accepted Solutions
Corey-DLP
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: HTTP Request Payload.txt Alerts?

Jump to solution

Hello and thank you for posting here! 

The HTTP Request Payload.txt files are legitimate uploads to a web server, but are generally not uploads conducted by an end-user. They are typically the result of the browser using web post methods such as AJAX/Web requests in the background. These events are often captured by DLP when a Web Post Protection rule is configured too broadly. KB92682 has some further details. 

Regarding the credit card numbers you're seeing in these files, this is likely a numeric string that is matching one of the credit card regex patterns. While the number may validate against the regex pattern, the number is most likely not intended to be a credit card number. Often these types of background web requests will contain numeric strings that are similar to credit card numbers, social security numbers, etc. 

There are essentially two ways to work around this. The first would be to modify the classification used in the Web Post protection rule so that the scope of the data it is searching for is more narrow. If this is not possible and it is deemed that these HTTP Request Payload files are not considered to be a data loss vector in your environment, these incidents could be purged by configuring a purge task in your incident manager which would look for these evidence files.

View solution in original post

4 Replies
Corey-DLP
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: HTTP Request Payload.txt Alerts?

Jump to solution

Hello and thank you for posting here! 

The HTTP Request Payload.txt files are legitimate uploads to a web server, but are generally not uploads conducted by an end-user. They are typically the result of the browser using web post methods such as AJAX/Web requests in the background. These events are often captured by DLP when a Web Post Protection rule is configured too broadly. KB92682 has some further details. 

Regarding the credit card numbers you're seeing in these files, this is likely a numeric string that is matching one of the credit card regex patterns. While the number may validate against the regex pattern, the number is most likely not intended to be a credit card number. Often these types of background web requests will contain numeric strings that are similar to credit card numbers, social security numbers, etc. 

There are essentially two ways to work around this. The first would be to modify the classification used in the Web Post protection rule so that the scope of the data it is searching for is more narrow. If this is not possible and it is deemed that these HTTP Request Payload files are not considered to be a data loss vector in your environment, these incidents could be purged by configuring a purge task in your incident manager which would look for these evidence files.

View solution in original post

DV_BB
Level 7
Report Inappropriate Content
Message 3 of 5

Re: HTTP Request Payload.txt Alerts?

Jump to solution

@Corey-DLP 

Hello and thanks for the response. I'll look into modifying the classification.  Additionally, is it possible to set Thresholds for credit card number detections? So in other words, it seems that the rule is triggering anytime it detects a credit card number once in the payload.txt file; however can I simply change/set a threshold to 10, so that the rule will fire when it sees 10 credit cards instead of just 1?  If so, can you please advise where this is configured? I'm unable to find within the policy itself and/or classifications.  Thanks

Corey-DLP
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: HTTP Request Payload.txt Alerts?

Jump to solution

You can absolutely modify threshold values. By default, they are all set to 1 for advanced patterns. You can modify this when editing your classification.  When you click the ellipses button (...) to add or remove advanced patterns in your classification, there is a threshold column which displays the threshold value for each definition. These values can be modified up to a value of 1000. I think this would be an excellent way to help reduce false positives. I've attached a screenshot of where the threshold settings can be found.

DV_BB
Level 7
Report Inappropriate Content
Message 5 of 5

Re: HTTP Request Payload.txt Alerts?

Jump to solution

@Corey-DLP - Thanks for the information and help, very much appreciated!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community