From 4f8c967185cfa8dd7044f7e27eceaaa964ddabea Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 24 Nov 2025 19:18:23 +0100 Subject: [PATCH] [New Rule] Web Server Unusual Spike in Error Logs (#5339) * [New Rule] Web Server Unusual Spike in Error Logs * Update reconnaissance_web_server_unusual_spike_in_error_logs.toml * Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml * ++ * Remove event limit from error log rule Removed limit on the number of events in the rule. * Rename rule to 'Web Server Potential Spike in Error Logs' * Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml * Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> --- ...eb_server_unusual_spike_in_error_logs.toml | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml new file mode 100644 index 000000000..f3c90cac1 --- /dev/null +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -0,0 +1,75 @@ +[metadata] +creation_date = "2025/11/19" +integration = ["nginx", "apache", "apache_tomcat", "iis"] +maturity = "production" +updated_date = "2025/11/19" + +[rule] +author = ["Elastic"] +description = """ +This rule detects unusual spikes in error logs from web servers, which may indicate reconnaissance activities such +as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error +responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side +issues that could be exploited. +""" +from = "now-9m" +interval = "10m" +language = "esql" +license = "Elastic License v2" +name = "Potential Spike in Web Server Error Logs" +risk_score = 21 +rule_id = "6631a759-4559-4c33-a392-13f146c8bcc4" +severity = "low" +tags = [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", +] +timestamp_override = "event.ingested" +type = "esql" +query = ''' +from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-* +| keep + @timestamp, + event.type, + event.dataset, + source.ip, + agent.id, + host.name +| where source.ip is not null +| stats + Esql.event_count = count(), + Esql.host_name_values = values(host.name), + Esql.agent_id_values = values(agent.id), + Esql.event_dataset_values = values(event.dataset) + by source.ip, agent.id +| where + Esql.event_count > 25 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.002" +name = "Vulnerability Scanning" +reference = "https://attack.mitre.org/techniques/T1595/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/"