Skip to content

Commit 2153a52

Browse files
AegrahAegrah
committed
[Rule Tunings] Misc. Web Server Rules
1 parent c3d0916 commit 2153a52

5 files changed

+69
-88
lines changed

rules/cross-platform/persistence_web_server_potential_command_injection.toml

Lines changed: 19 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2025/11/19"
3-
integration = ["nginx", "apache", "apache_tomcat", "iis", "network_traffic"]
3+
integration = ["nginx", "apache", "apache_tomcat", "iis"]
44
maturity = "production"
5-
updated_date = "2025/11/24"
5+
updated_date = "2025/12/01"
66

77
[rule]
88
author = ["Elastic"]
@@ -54,14 +54,12 @@ rule_id = "f3ac6734-7e52-4a0d-90b7-6847bf4308f2"
5454
severity = "low"
5555
tags = [
5656
"Domain: Web",
57-
"Domain: Network",
5857
"Use Case: Threat Detection",
5958
"Tactic: Reconnaissance",
6059
"Tactic: Persistence",
6160
"Tactic: Execution",
6261
"Tactic: Credential Access",
6362
"Tactic: Command and Control",
64-
"Data Source: Network Packet Capture",
6563
"Data Source: Nginx",
6664
"Data Source: Apache",
6765
"Data Source: Apache Tomcat",
@@ -71,26 +69,24 @@ tags = [
7169
timestamp_override = "event.ingested"
7270
type = "esql"
7371
query = '''
74-
from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
72+
from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
7573
| where
76-
(url.original is not null or url.full is not null) and
7774
// Limit to 200 response code to reduce noise
7875
http.response.status_code == 200
7976
80-
| eval Esql.url_lower = case(url.original is not null, url.original, url.full)
81-
| eval Esql.url_lower = to_lower(Esql.url_lower)
82-
83-
| eval Esql.contains_interpreter = case(Esql.url_lower like "*python* -c*" or Esql.url_lower like "*perl* -e*" or Esql.url_lower like "*ruby* -e*" or Esql.url_lower like "*ruby* -rsocket*" or Esql.url_lower like "*lua* -e*" or Esql.url_lower like "*php* -r*" or Esql.url_lower like "*node* -e*", 1, 0)
84-
| eval Esql.contains_shell = case(Esql.url_lower like "*/bin/bash*" or Esql.url_lower like "*bash*-c*" or Esql.url_lower like "*/bin/sh*" or Esql.url_lower rlike "*sh.{1,2}-c*", 1, 0)
85-
| eval Esql.contains_nc = case(Esql.url_lower like "*netcat*" or Esql.url_lower like "*ncat*" or Esql.url_lower rlike """.*nc.{1,2}[0-9]{1,3}(\.[0-9]{1,3}){3}.{1,2}[0-9]{1,5}.*""" or Esql.url_lower like "*nc.openbsd*" or Esql.url_lower like "*nc.traditional*" or Esql.url_lower like "*socat*", 1, 0)
86-
| eval Esql.contains_devtcp = case(Esql.url_lower like "*/dev/tcp/*" or Esql.url_lower like "*/dev/udp/*", 1, 0)
87-
| eval Esql.contains_helpers = case((Esql.url_lower like "*/bin/*" or Esql.url_lower like "*/usr/bin/*") and (Esql.url_lower like "*mkfifo*" or Esql.url_lower like "*nohup*" or Esql.url_lower like "*setsid*" or Esql.url_lower like "*busybox*"), 1, 0)
88-
| eval Esql.contains_sus_cli = case(Esql.url_lower like "*import*pty*spawn*" or Esql.url_lower like "*import*subprocess*call*" or Esql.url_lower like "*tcpsocket.new*" or Esql.url_lower like "*tcpsocket.open*" or Esql.url_lower like "*io.popen*" or Esql.url_lower like "*os.execute*" or Esql.url_lower like "*fsockopen*", 1, 0)
89-
| eval Esql.contains_privileges = case(Esql.url_lower like "*chmod*+x", 1, 0)
90-
| eval Esql.contains_downloader = case(Esql.url_lower like "*curl *" or Esql.url_lower like "*wget *" , 1, 0)
91-
| eval Esql.contains_file_read_keywords = case(Esql.url_lower like "*/etc/shadow*" or Esql.url_lower like "*/etc/passwd*" or Esql.url_lower like "*/root/.ssh/*" or Esql.url_lower like "*/home/*/.ssh/*" or Esql.url_lower like "*~/.ssh/*" or Esql.url_lower like "*/proc/self/environ*", 1, 0)
92-
| eval Esql.contains_base64_cmd = case(Esql.url_lower like "*base64*-d*" or Esql.url_lower like "*echo*|*base64*", 1, 0)
93-
| eval Esql.contains_suspicious_path = case(Esql.url_lower like "*/tmp/*" or Esql.url_lower like "*/var/tmp/*" or Esql.url_lower like "*/dev/shm/*" or Esql.url_lower like "*/root/*" or Esql.url_lower like "*/home/*/*" or Esql.url_lower like "*/var/www/*" or Esql.url_lower like "*/etc/cron.*/*", 1, 0)
77+
| eval Esql.url_original_to_lower = to_lower(url.original)
78+
79+
| eval Esql.contains_interpreter = case(Esql.url_original_to_lower like "*python* -c*" or Esql.url_original_to_lower like "*perl* -e*" or Esql.url_original_to_lower like "*ruby* -e*" or Esql.url_original_to_lower like "*ruby* -rsocket*" or Esql.url_original_to_lower like "*lua* -e*" or Esql.url_original_to_lower like "*php* -r*" or Esql.url_original_to_lower like "*node* -e*", 1, 0)
80+
| eval Esql.contains_shell = case(Esql.url_original_to_lower like "*/bin/bash*" or Esql.url_original_to_lower like "*bash*-c*" or Esql.url_original_to_lower like "*/bin/sh*" or Esql.url_original_to_lower rlike "*sh.{1,2}-c*", 1, 0)
81+
| eval Esql.contains_nc = case(Esql.url_original_to_lower like "*netcat*" or Esql.url_original_to_lower like "*ncat*" or Esql.url_original_to_lower rlike """.*nc.{1,2}[0-9]{1,3}(\.[0-9]{1,3}){3}.{1,2}[0-9]{1,5}.*""" or Esql.url_original_to_lower like "*nc.openbsd*" or Esql.url_original_to_lower like "*nc.traditional*" or Esql.url_original_to_lower like "*socat*", 1, 0)
82+
| eval Esql.contains_devtcp = case(Esql.url_original_to_lower like "*/dev/tcp/*" or Esql.url_original_to_lower like "*/dev/udp/*", 1, 0)
83+
| eval Esql.contains_helpers = case((Esql.url_original_to_lower like "*/bin/*" or Esql.url_original_to_lower like "*/usr/bin/*") and (Esql.url_original_to_lower like "*mkfifo*" or Esql.url_original_to_lower like "*nohup*" or Esql.url_original_to_lower like "*setsid*" or Esql.url_original_to_lower like "*busybox*"), 1, 0)
84+
| eval Esql.contains_sus_cli = case(Esql.url_original_to_lower like "*import*pty*spawn*" or Esql.url_original_to_lower like "*import*subprocess*call*" or Esql.url_original_to_lower like "*tcpsocket.new*" or Esql.url_original_to_lower like "*tcpsocket.open*" or Esql.url_original_to_lower like "*io.popen*" or Esql.url_original_to_lower like "*os.execute*" or Esql.url_original_to_lower like "*fsockopen*", 1, 0)
85+
| eval Esql.contains_privileges = case(Esql.url_original_to_lower like "*chmod*+x", 1, 0)
86+
| eval Esql.contains_downloader = case(Esql.url_original_to_lower like "*curl *" or Esql.url_original_to_lower like "*wget *" , 1, 0)
87+
| eval Esql.contains_file_read_keywords = case(Esql.url_original_to_lower like "*/etc/shadow*" or Esql.url_original_to_lower like "*/etc/passwd*" or Esql.url_original_to_lower like "*/root/.ssh/*" or Esql.url_original_to_lower like "*/home/*/.ssh/*" or Esql.url_original_to_lower like "*~/.ssh/*" or Esql.url_original_to_lower like "*/proc/self/environ*", 1, 0)
88+
| eval Esql.contains_base64_cmd = case(Esql.url_original_to_lower like "*base64*-d*" or Esql.url_original_to_lower like "*echo*|*base64*", 1, 0)
89+
| eval Esql.contains_suspicious_path = case(Esql.url_original_to_lower like "*/tmp/*" or Esql.url_original_to_lower like "*/var/tmp/*" or Esql.url_original_to_lower like "*/dev/shm/*" or Esql.url_original_to_lower like "*/root/*" or Esql.url_original_to_lower like "*/home/*/*" or Esql.url_original_to_lower like "*/var/www/*" or Esql.url_original_to_lower like "*/etc/cron.*/*", 1, 0)
9490
9591
| eval Esql.any_payload_keyword = case(
9692
Esql.contains_interpreter == 1 or Esql.contains_shell == 1 or Esql.contains_nc == 1 or Esql.contains_devtcp == 1 or
@@ -99,7 +95,7 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-
9995
10096
| keep
10197
@timestamp,
102-
Esql.url_lower,
98+
Esql.url_original_to_lower,
10399
Esql.any_payload_keyword,
104100
Esql.contains_interpreter,
105101
Esql.contains_shell,
@@ -123,13 +119,13 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-
123119
124120
| stats
125121
Esql.event_count = count(),
126-
Esql.url_path_count_distinct = count_distinct(Esql.url_lower),
122+
Esql.url_path_count_distinct = count_distinct(Esql.url_original_to_lower),
127123
128124
// General fields
129125
130126
Esql.host_name_values = values(host.name),
131127
Esql.agent_id_values = values(agent.id),
132-
Esql.url_path_values = values(Esql.url_lower),
128+
Esql.url_path_values = values(Esql.url_original_to_lower),
133129
Esql.http.response.status_code_values = values(http.response.status_code),
134130
Esql.user_agent_original_values = values(user_agent.original),
135131
Esql.event_dataset_values = values(event.dataset),

rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml

Lines changed: 8 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2025/11/19"
3-
integration = ["network_traffic", "nginx", "apache", "apache_tomcat", "iis"]
3+
integration = ["nginx", "apache", "apache_tomcat", "iis"]
44
maturity = "production"
5-
updated_date = "2025/11/24"
5+
updated_date = "2025/12/01"
66

77
[rule]
88
author = ["Elastic"]
@@ -52,10 +52,8 @@ rule_id = "8383a8d0-008b-47a5-94e5-496629dc3590"
5252
severity = "low"
5353
tags = [
5454
"Domain: Web",
55-
"Domain: Network",
5655
"Use Case: Threat Detection",
5756
"Tactic: Reconnaissance",
58-
"Data Source: Network Packet Capture",
5957
"Data Source: Nginx",
6058
"Data Source: Apache",
6159
"Data Source: Apache Tomcat",
@@ -65,14 +63,12 @@ tags = [
6563
timestamp_override = "event.ingested"
6664
type = "esql"
6765
query = '''
68-
from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
66+
from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
6967
| where
70-
(url.original is not null or url.full is not null) and
7168
http.request.method == "GET" and
7269
http.response.status_code in (404, 403)
7370
74-
| eval Esql.url_text = case(url.original is not null, url.original, url.full)
75-
| eval Esql.url_lower = to_lower(Esql.url_text)
71+
| eval Esql.url_original_to_lower = to_lower(url.original)
7672
7773
| keep
7874
@timestamp,
@@ -82,19 +78,19 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-
8278
source.ip,
8379
agent.id,
8480
host.name,
85-
Esql.url_lower
81+
Esql.url_original_to_lower
8682
| stats
8783
Esql.event_count = count(),
88-
Esql.url_lower_count_distinct = count_distinct(Esql.url_lower),
84+
Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
8985
Esql.host_name_values = values(host.name),
9086
Esql.agent_id_values = values(agent.id),
9187
Esql.http_request_method_values = values(http.request.method),
9288
Esql.http_response_status_code_values = values(http.response.status_code),
93-
Esql.url_path_values = values(Esql.url_lower),
89+
Esql.url_original_values = values(Esql.url_original_to_lower),
9490
Esql.event_dataset_values = values(event.dataset)
9591
by source.ip
9692
| where
97-
Esql.event_count > 500 and Esql.url_lower_count_distinct > 250
93+
Esql.event_count > 500 and Esql.url_original_count_distinct > 250
9894
'''
9995

10096
[[rule.threat]]

rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
creation_date = "2025/11/19"
33
integration = ["nginx", "apache", "apache_tomcat", "iis"]
44
maturity = "production"
5-
updated_date = "2025/11/25"
5+
updated_date = "2025/12/01"
66

77
[rule]
88
author = ["Elastic"]
@@ -80,7 +80,7 @@ from logs-nginx.error-*, logs-apache_tomcat.error-*, logs-apache.error-*, logs-i
8080
Esql.event_dataset_values = values(event.dataset)
8181
by source.ip, agent.id
8282
| where
83-
Esql.event_count > 25
83+
Esql.event_count > 50
8484
'''
8585

8686
[[rule.threat]]

rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

Lines changed: 7 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2025/11/19"
3-
integration = ["network_traffic", "nginx", "apache", "apache_tomcat", "iis"]
3+
integration = ["nginx", "apache", "apache_tomcat", "iis"]
44
maturity = "production"
5-
updated_date = "2025/11/24"
5+
updated_date = "2025/12/01"
66

77
[rule]
88
author = ["Elastic"]
@@ -53,10 +53,8 @@ rule_id = "6fa3abe3-9cd8-41de-951b-51ed8f710523"
5353
severity = "low"
5454
tags = [
5555
"Domain: Web",
56-
"Domain: Network",
5756
"Use Case: Threat Detection",
5857
"Tactic: Reconnaissance",
59-
"Data Source: Network Packet Capture",
6058
"Data Source: Nginx",
6159
"Data Source: Apache",
6260
"Data Source: Apache Tomcat",
@@ -66,18 +64,17 @@ tags = [
6664
timestamp_override = "event.ingested"
6765
type = "esql"
6866
query = '''
69-
from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
67+
from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
7068
| where
71-
(url.original is not null or url.full is not null) and
7269
http.request.method == "GET" and
7370
http.response.status_code in (
7471
500, // Internal Server Error
7572
502, // Bad Gateway
7673
503, // Service Unavailable
7774
504 // Gateway Timeout
7875
)
79-
| eval Esql.url_text = case(url.original is not null, url.original, url.full)
80-
| eval Esql.url_lower = to_lower(Esql.url_text)
76+
77+
| eval Esql.url_original_to_lower = to_lower(url.original)
8178
8279
| keep
8380
@timestamp,
@@ -87,7 +84,7 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-
8784
source.ip,
8885
agent.id,
8986
host.name,
90-
Esql.url_lower
87+
Esql.url_original_to_lower
9188
| stats
9289
Esql.event_count = count(),
9390
Esql.http_response_status_code_count = count(http.response.status_code),
@@ -96,7 +93,7 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-
9693
Esql.agent_id_values = values(agent.id),
9794
Esql.http_request_method_values = values(http.request.method),
9895
Esql.http_response_status_code_values = values(http.response.status_code),
99-
Esql.url_path_values = values(Esql.url_lower),
96+
Esql.url_path_values = values(Esql.url_original_to_lower),
10097
Esql.event_dataset_values = values(event.dataset)
10198
by source.ip, agent.id
10299
| where

rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml

Lines changed: 33 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2025/11/19"
3-
integration = ["nginx", "apache", "apache_tomcat", "iis", "network_traffic"]
3+
integration = ["nginx", "apache", "apache_tomcat", "iis"]
44
maturity = "production"
5-
updated_date = "2025/11/24"
5+
updated_date = "2025/12/01"
66

77
[rule]
88
author = ["Elastic"]
@@ -52,11 +52,9 @@ rule_id = "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35"
5252
severity = "low"
5353
tags = [
5454
"Domain: Web",
55-
"Domain: Network",
5655
"Use Case: Threat Detection",
5756
"Tactic: Reconnaissance",
5857
"Tactic: Credential Access",
59-
"Data Source: Network Packet Capture",
6058
"Data Source: Nginx",
6159
"Data Source: Apache",
6260
"Data Source: Apache Tomcat",
@@ -66,40 +64,34 @@ tags = [
6664
timestamp_override = "event.ingested"
6765
type = "esql"
6866
query = '''
69-
from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
67+
from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
7068
71-
| eval Esql.user_agent_original_lower = to_lower(user_agent.original)
69+
| eval Esql.user_agent_original_to_lower = to_lower(user_agent.original), Esql.url_original_to_lower = to_lower(url.original)
7270
7371
| where
74-
(url.original is not null or url.full is not null) and
75-
(
76-
Esql.user_agent_original_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/74.0.3729.169 safari/537.36" or // Nikto
77-
Esql.user_agent_original_lower like "nikto*" or // Nikto
78-
Esql.user_agent_original_lower like "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)" or // Nessus Vulnerability Scanner
79-
Esql.user_agent_original_lower like "*nessus*" or // Nessus Vulnerability Scanner
80-
Esql.user_agent_original_lower like "sqlmap/*" or // SQLMap
81-
Esql.user_agent_original_lower like "wpscan*" or // WPScan
82-
Esql.user_agent_original_lower like "feroxbuster/*" or // Feroxbuster
83-
Esql.user_agent_original_lower like "masscan*" or // Masscan & masscan-ng
84-
Esql.user_agent_original_lower like "fuzz*" or // Ffuf
85-
Esql.user_agent_original_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/user_agent.original like~ 87.0.4280.88 safari/537.36" or // Dirsearch
86-
Esql.user_agent_original_lower like "mozilla/4.0 (compatible; msie 6.0; windows nt 5.1)" or // Dirb
87-
Esql.user_agent_original_lower like "dirbuster*" or // Dirbuster
88-
Esql.user_agent_original_lower like "gobuster/*" or // Gobuster
89-
Esql.user_agent_original_lower like "*dirsearch*" or // dirsearch
90-
Esql.user_agent_original_lower like "*nmap*" or // Nmap Scripting Engine
91-
Esql.user_agent_original_lower like "*hydra*" or // Hydra Brute Forcer
92-
Esql.user_agent_original_lower like "*w3af*" or // w3af Web Application Attack and Audit Framework
93-
Esql.user_agent_original_lower like "*arachni*" or // Arachni Web Application Security Scanner
94-
Esql.user_agent_original_lower like "*skipfish*" or // Skipfish Web Application Security Scanner
95-
Esql.user_agent_original_lower like "*openvas*" or // OpenVAS Vulnerability Scanner
96-
Esql.user_agent_original_lower like "*acunetix*" or // Acunetix Vulnerability Scanner
97-
Esql.user_agent_original_lower like "*zap*" or // OWASP ZAP
98-
Esql.user_agent_original_lower like "*burp*" // Burp Suite
99-
)
100-
101-
| eval Esql.url_text = case(url.original is not null, url.original, url.full)
102-
| eval Esql.url_lower = to_lower(Esql.url_text)
72+
Esql.user_agent_original_to_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/74.0.3729.169 safari/537.36" or // Nikto
73+
Esql.user_agent_original_to_lower like "nikto*" or // Nikto
74+
Esql.user_agent_original_to_lower like "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)" or // Nessus Vulnerability Scanner
75+
Esql.user_agent_original_to_lower like "*nessus*" or // Nessus Vulnerability Scanner
76+
Esql.user_agent_original_to_lower like "sqlmap/*" or // SQLMap
77+
Esql.user_agent_original_to_lower like "wpscan*" or // WPScan
78+
Esql.user_agent_original_to_lower like "feroxbuster/*" or // Feroxbuster
79+
Esql.user_agent_original_to_lower like "masscan*" or // Masscan & masscan-ng
80+
Esql.user_agent_original_to_lower like "fuzz*" or // Ffuf
81+
Esql.user_agent_original_to_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/user_agent.original like~ 87.0.4280.88 safari/537.36" or // Dirsearch
82+
Esql.user_agent_original_to_lower like "mozilla/4.0 (compatible; msie 6.0; windows nt 5.1)" or // Dirb
83+
Esql.user_agent_original_to_lower like "dirbuster*" or // Dirbuster
84+
Esql.user_agent_original_to_lower like "gobuster/*" or // Gobuster
85+
Esql.user_agent_original_to_lower like "*dirsearch*" or // dirsearch
86+
Esql.user_agent_original_to_lower like "*nmap*" or // Nmap Scripting Engine
87+
Esql.user_agent_original_to_lower like "*hydra*" or // Hydra Brute Forcer
88+
Esql.user_agent_original_to_lower like "*w3af*" or // w3af Web Application Attack and Audit Framework
89+
Esql.user_agent_original_to_lower like "*arachni*" or // Arachni Web Application Security Scanner
90+
Esql.user_agent_original_to_lower like "*skipfish*" or // Skipfish Web Application Security Scanner
91+
Esql.user_agent_original_to_lower like "*openvas*" or // OpenVAS Vulnerability Scanner
92+
Esql.user_agent_original_to_lower like "*acunetix*" or // Acunetix Vulnerability Scanner
93+
Esql.user_agent_original_to_lower like "*zap*" or // OWASP ZAP
94+
Esql.user_agent_original_to_lower like "*burp*" // Burp Suite
10395
10496
| keep
10597
@timestamp,
@@ -108,19 +100,19 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-
108100
source.ip,
109101
agent.id,
110102
host.name,
111-
Esql.url_lower,
112-
Esql.user_agent_original_lower
103+
Esql.url_original_to_lower,
104+
Esql.user_agent_original_to_lower
113105
| stats
114106
Esql.event_count = count(),
115-
Esql.url_path_count_distinct = count_distinct(Esql.url_lower),
107+
Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
116108
Esql.host_name_values = values(host.name),
117109
Esql.agent_id_values = values(agent.id),
118-
Esql.url_path_values = values(Esql.url_lower),
119-
Esql.user_agent_original_values = values(Esql.user_agent_original_lower),
110+
Esql.url_original_values = values(Esql.url_original_to_lower),
111+
Esql.user_agent_original_values = values(Esql.user_agent_original_to_lower),
120112
Esql.event_dataset_values = values(event.dataset)
121113
by source.ip, agent.id
122114
| where
123-
Esql.event_count > 50 and Esql.url_path_count_distinct > 10
115+
Esql.event_count > 50 and Esql.url_original_count_distinct > 10
124116
'''
125117

126118
[[rule.threat]]

0 commit comments

Comments
 (0)