Update tags in reconnaissance web server rule

Aegrah · web-flow · commit b18fcd48f878 · 2025-11-19T14:31:24.000+01:00
diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml
@@ -21,18 +21,18 @@ risk_score = 47
 rule_id = "6fa3abe3-9cd8-41de-951b-51ed8f710523"
 severity = "medium"
 tags = [
-    "Domain: Single",
+    "Domain Scope: Single",
     "Domain: Web",
     "OS: Linux",
     "OS: macOS",
     "OS: Windows",
     "Use Case: Threat Detection",
     "Tactic: Reconnaissance",
     "Data Source: Network Packet Capture",
-    "Data Source: Nginx Access Logs",
-    "Data Source: Apache Access Logs",
-    "Data Source: Apache Tomcat Access Logs",
-    "Data Source: IIS Access Logs",
+    "Data Source: Nginx",
+    "Data Source: Apache",
+    "Data Source: Apache Tomcat",
+    "Data Source: IIS",
 ]
 timestamp_override = "event.ingested"
 type = "esql"
