Skip to content

Commit 2361f53

Browse files
AegrahAegrah
committed
++
1 parent d40dbe0 commit 2361f53

File tree

1 file changed

+9
-14
lines changed

1 file changed

+9
-14
lines changed

rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

Lines changed: 9 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -12,21 +12,17 @@ reconnaissance activities such as vulnerability scanning or fuzzing attempts by
1212
generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes
1313
may potentially indicate server-side issues that could be exploited.
1414
"""
15-
from = "now-61m"
16-
interval = "1h"
15+
from = "now-9m"
16+
interval = "10m"
1717
language = "esql"
1818
license = "Elastic License v2"
1919
name = "Web Server Unusual Spike in Error Response Codes"
20-
risk_score = 47
20+
risk_score = 21
2121
rule_id = "6fa3abe3-9cd8-41de-951b-51ed8f710523"
22-
severity = "medium"
22+
severity = "low"
2323
tags = [
24-
"Domain Scope: Single",
2524
"Domain: Web",
2625
"Domain: Network",
27-
"OS: Linux",
28-
"OS: macOS",
29-
"OS: Windows",
3026
"Use Case: Threat Detection",
3127
"Tactic: Reconnaissance",
3228
"Data Source: Network Packet Capture",
@@ -46,7 +42,6 @@ from
4642
logs-apache_tomcat.access-*,
4743
logs-iis.access-*
4844
| where
49-
@timestamp > now() - 1 hours and
5045
(url.original is not null or url.full is not null) and
5146
http.request.method == "GET" and
5247
http.response.status_code in (
@@ -55,8 +50,8 @@ from
5550
503, // Service Unavailable
5651
504 // Gateway Timeout
5752
)
58-
| eval Esql_url_text = case(url.original is not null, url.original, url.full)
59-
| eval Esql_url_lower = to_lower(Esql_url_text)
53+
| eval Esql.url_text = case(url.original is not null, url.original, url.full)
54+
| eval Esql.url_lower = to_lower(Esql.url_text)
6055
6156
| keep
6257
@timestamp,
@@ -66,7 +61,7 @@ from
6661
source.ip,
6762
agent.id,
6863
host.name,
69-
Esql_url_lower
64+
Esql.url_lower
7065
| stats
7166
Esql.event_count = count(),
7267
Esql.http_response_status_code_count = count(http.response.status_code),
@@ -75,9 +70,9 @@ from
7570
Esql.agent_id_values = values(agent.id),
7671
Esql.http_request_method_values = values(http.request.method),
7772
Esql.http_response_status_code_values = values(http.response.status_code),
78-
Esql.url_path_values = values(Esql_url_lower),
73+
Esql.url_path_values = values(Esql.url_lower),
7974
Esql.event_dataset_values = values(event.dataset)
80-
by source.ip
75+
by source.ip, agent.id
8176
| where
8277
Esql.http_response_status_code_count > 10
8378
| limit 100

0 commit comments

Comments
 (0)