Average combined payload size elevated

firetail:average-combined-payload-size-elevated

Type:

Detection

Rule Severity:

Info

The average combined request and response payload size during a given period was >= the mean average + one standard deviation of the preceding period.

Although payloads for individual request may change and vary between endpoints, the overall average size of payloads for an application shouold be fairly stable. Fluctuations in the  payload size may be an indicator of higher than normal usage, changed usage patterns, changed data content, etc. Any of these can be indicators for malicious behaviour.

Remediation

‍Investigate what has caused the combined request and response payloads sent to this API to increase significantly in size.

Example Attack Scenario

An attacker may have completely abnormal usage pattern, such as only using a single list endpoint to exfiltrate data and hitting that endpoint much more efrequently than a normal user would. The proportionally higher number of these requests will affect the average payload size for the whole service.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Average combined payload size elevated
Legacy integer limit
Missing required headers
Mailgun secrets found in logs
Plaintext unknown authentication
Index creation failed