Skip to content

Commit c04b0ec

Browse files
AegrahAegrah
committed
++
1 parent bc1ff89 commit c04b0ec

File tree

1 file changed

+6
-11
lines changed

1 file changed

+6
-11
lines changed

rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml

Lines changed: 6 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -11,21 +11,17 @@ This rule detects potential web server discovery or fuzzing activity by identify
1111
in 404 or 403 status codes from a single source IP address within a short timeframe. Such patterns may indicate that an attacker
1212
is attempting to discover hidden or unlinked resources on a web server, which can be a precursor to more targeted attacks.
1313
"""
14-
from = "now-61m"
15-
interval = "1h"
14+
from = "now-9m"
15+
interval = "10m"
1616
language = "esql"
1717
license = "Elastic License v2"
1818
name = "Web Server Discovery or Fuzzing Activity"
1919
risk_score = 21
2020
rule_id = "8383a8d0-008b-47a5-94e5-496629dc3590"
2121
severity = "low"
2222
tags = [
23-
"Domain Scope: Single",
2423
"Domain: Web",
2524
"Domain: Network",
26-
"OS: Linux",
27-
"OS: macOS",
28-
"OS: Windows",
2925
"Use Case: Threat Detection",
3026
"Tactic: Reconnaissance",
3127
"Data Source: Network Packet Capture",
@@ -45,13 +41,12 @@ from
4541
logs-apache_tomcat.access-*,
4642
logs-iis.access-*
4743
| where
48-
@timestamp > now() - 1 hours and
4944
(url.original is not null or url.full is not null) and
5045
http.request.method == "GET" and
5146
http.response.status_code in (404, 403)
5247
5348
| eval Esql_url_text = case(url.original is not null, url.original, url.full)
54-
| eval Esql_url_lower = to_lower(Esql_url_text)
49+
| eval Esql.url_lower = to_lower(Esql_url_text)
5550
5651
| keep
5752
@timestamp,
@@ -61,15 +56,15 @@ from
6156
source.ip,
6257
agent.id,
6358
host.name,
64-
Esql_url_lower
59+
Esql.url_lower
6560
| stats
6661
Esql.event_count = count(),
67-
Esql.url_lower_count_distinct = count_distinct(Esql_url_lower),
62+
Esql.url_lower_count_distinct = count_distinct(Esql.url_lower),
6863
Esql.host_name_values = values(host.name),
6964
Esql.agent_id_values = values(agent.id),
7065
Esql.http_request_method_values = values(http.request.method),
7166
Esql.http_response_status_code_values = values(http.response.status_code),
72-
Esql.url_path_values = values(Esql_url_lower),
67+
Esql.url_path_values = values(Esql.url_lower),
7368
Esql.event_dataset_values = values(event.dataset)
7469
by source.ip
7570
| where

0 commit comments

Comments
 (0)