[New Rule] Web Server Unusual Spike in Error Logs (#5339)

* [New Rule] Web Server Unusual Spike in Error Logs * Update reconnaissance_web_server_unusual_spike_in_error_logs.toml * Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml * ++ * Remove event limit from error log rule Removed limit on the number of events in the rule. * Rename rule to 'Web Server Potential Spike in Error Logs' * Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml * Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
2025-11-24 19:18:23 +01:00
parent 296049e1ff
commit 4f8c967185
1 changed files with 75 additions and 0 deletions
@@ -0,0 +1,75 @@
+[metadata]
+creation_date = "2025/11/19"
+integration = ["nginx", "apache", "apache_tomcat", "iis"]
+maturity = "production"
+updated_date = "2025/11/19"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects unusual spikes in error logs from web servers, which may indicate reconnaissance activities such
+as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error
+responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side
+issues that could be exploited.
+"""
+from = "now-9m"
+interval = "10m"
+language = "esql"
+license = "Elastic License v2"
+name = "Potential Spike in Web Server Error Logs"
+risk_score = 21
+rule_id = "6631a759-4559-4c33-a392-13f146c8bcc4"
+severity = "low"
+tags = [
+    "Domain: Web",
+    "Use Case: Threat Detection",
+    "Tactic: Reconnaissance",
+    "Data Source: Nginx",
+    "Data Source: Apache",
+    "Data Source: Apache Tomcat",
+    "Data Source: IIS",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+query = '''
+from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
+| keep
+    @timestamp,
+    event.type,
+    event.dataset,
+    source.ip,
+    agent.id,
+    host.name
+| where source.ip is not null
+| stats
+    Esql.event_count = count(),
+    Esql.host_name_values = values(host.name),
+    Esql.agent_id_values = values(agent.id),
+    Esql.event_dataset_values = values(event.dataset)
+    by source.ip, agent.id
+| where
+    Esql.event_count > 25
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1595"
+name = "Active Scanning"
+reference = "https://attack.mitre.org/techniques/T1595/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1595.002"
+name = "Vulnerability Scanning"
+reference = "https://attack.mitre.org/techniques/T1595/002/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1595.003"
+name = "Wordlist Scanning"
+reference = "https://attack.mitre.org/techniques/T1595/003/"
+
+[rule.threat.tactic]
+id = "TA0043"
+name = "Reconnaissance"
+reference = "https://attack.mitre.org/tactics/TA0043/"