[New Rule] Web Server Unusual Spike in Error Logs

Aegrah · Aegrah · commit f02996598027 · 2025-11-19T14:30:04.000+01:00
diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml
@@ -0,0 +1,86 @@
+[metadata]
+creation_date = "2025/11/19"
+integration = ["nginx", "apache", "apache_tomcat", "iis"]
+maturity = "production"
+updated_date = "2025/11/19"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects unusual spikes in error logs from web servers, which may indicate reconnaissance activities such
+as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error
+responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side
+issues that could be exploited.
+"""
+from = "now-61m"
+interval = "1h"
+language = "esql"
+license = "Elastic License v2"
+name = "Web Server Unusual Spike in Error Logs"
+risk_score = 47
+rule_id = "6631a759-4559-4c33-a392-13f146c8bcc4"
+severity = "medium"
+tags = [
+    "Domain Scope: Single",
+    "Domain: Web",
+    "OS: Linux",
+    "OS: macOS",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Reconnaissance",
+    "Data Source: Network Packet Capture",
+    "Data Source: Nginx",
+    "Data Source: Apache",
+    "Data Source: Apache Tomcat",
+    "Data Source: IIS",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+query = '''
+from
+  logs-nginx.error-*,
+  logs-apache.error-*,
+  logs-apache.error-*,
+  logs-iis.error-*
+| where
+    @timestamp > now() - 1 hours
+| keep
+    @timestamp,
+    event.type,
+    event.dataset,
+    source.ip,
+    agent.id,
+    host.name
+| stats
+    Esql.event_count = count(),
+    Esql.host_name_values = values(host.name),
+    Esql.agent_id_values = values(agent.id),
+    Esql.event_dataset_values = values(event.dataset)
+    by source.ip
+| where
+    Esql.event_count > 25
+| limit 100
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1595"
+name = "Active Scanning"
+reference = "https://attack.mitre.org/techniques/T1595/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1595.002"
+name = "Vulnerability Scanning"
+reference = "https://attack.mitre.org/techniques/T1595/002/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1595.003"
+name = "Wordlist Scanning"
+reference = "https://attack.mitre.org/techniques/T1595/003/"
+
+[rule.threat.tactic]
+id = "TA0043"
+name = "Reconnaissance"
+reference = "https://attack.mitre.org/tactics/TA0043/"
