This article walks through a typical investigation of a suspicious visitor which triggered a Captcha page.
Upon detecting the threat, Distil serves a Captcha page to the visitor.
Beyond the Turing test, each Captcha page includes the IP address and trace information associated with the request.
As an analyst, you can extract the information and then explore it using Dynamic Reporting Engine (DRE):
- IP Address: 184.108.40.206
- Trace: 6ce2681d-e5a8-4469-9f16-f69e30ff930e
- Via: 809d12b6-952f-41fc-abe9-8f1075cba0cb
Let’s take that request information and access the Request Investigation dashboard.
Expand the filters list and paste the trace value (6ce2681d-e5a8-4469-9f16-f69e30ff930e) in the Request ID field. Then, click Run.
We can view the threat category, the Captcha results, the response Distil took, and the complete rundown of forensic data associated with the malicious attempting all in a single view.
Next, we can filter by the request’s IP address (220.127.116.11) to drill down into any other past appearances of the abusive source in your web, API, and mobile traffic.
We can see our original Captcha’ed request was part of a series of malicious automated requests.