[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)

* [Rule Tuning] Interval fix + Datastream values to ESQL Rules * Update persistence_web_server_potential_command_injection.toml
2025-12-05 16:42:52 +01:00
parent b8aedcd7aa
commit 72a2b44db1
5 changed files with 32 additions and 19 deletions
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ applications to inject and execute arbitrary commands on the server, often using
 PHP, or shell commands. By monitoring for these indicators in web traffic, security teams can identify and respond to
 potential threats early.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -115,7 +115,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
    http.response.status_code,
    user_agent.original,
    host.name,
-    event.dataset
+    event.dataset,
+    data_stream.namespace

 | stats
    Esql.event_count = count(),
@@ -129,6 +130,7 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
    Esql.http.response.status_code_values = values(http.response.status_code),
    Esql.user_agent_original_values = values(user_agent.original),
    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace),

    // Rule Specific fields
    Esql.any_payload_keyword_max = max(Esql.any_payload_keyword),
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects potential web server discovery or fuzzing activity by identify
 in 404 or 403 status codes from a single source IP address within a short timeframe. Such patterns may indicate that an attacker
 is attempting to discover hidden or unlinked resources on a web server, which can be a precursor to more targeted attacks.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -78,7 +78,9 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
    source.ip,
    agent.id,
    host.name,
-    Esql.url_original_to_lower
+    Esql.url_original_to_lower,
+    data_stream.namespace
+
 | stats
    Esql.event_count = count(),
    Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
@@ -87,7 +89,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
    Esql.http_request_method_values = values(http.request.method),
    Esql.http_response_status_code_values = values(http.response.status_code),
    Esql.url_original_values = values(Esql.url_original_to_lower),
-    Esql.event_dataset_values = values(event.dataset)
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
    by source.ip
 | where
  Esql.event_count > 500 and Esql.url_original_count_distinct > 250
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ as vulnerability scanning or fuzzing attempts by adversaries. These activities o
 responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side
 issues that could be exploited.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -71,13 +71,16 @@ from logs-nginx.error-*, logs-apache_tomcat.error-*, logs-apache.error-*, logs-i
    event.dataset,
    source.ip,
    agent.id,
-    host.name
+    host.name,
+    data_stream.namespace
+
 | where source.ip is not null
 | stats
    Esql.event_count = count(),
    Esql.host_name_values = values(host.name),
    Esql.agent_id_values = values(agent.id),
-    Esql.event_dataset_values = values(event.dataset)
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
    by source.ip, agent.id
 | where
    Esql.event_count > 50
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"

 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ reconnaissance activities such as vulnerability scanning or fuzzing attempts by
 generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes
 may potentially indicate server-side issues that could be exploited.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -84,7 +84,9 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
    source.ip,
    agent.id,
    host.name,
-    Esql.url_original_to_lower
+    Esql.url_original_to_lower,
+    data_stream.namespace
+
 | stats
    Esql.event_count = count(),
    Esql.http_response_status_code_count = count(http.response.status_code),
@@ -94,7 +96,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
    Esql.http_request_method_values = values(http.request.method),
    Esql.http_response_status_code_values = values(http.response.status_code),
    Esql.url_path_values = values(Esql.url_original_to_lower),
-    Esql.event_dataset_values = values(event.dataset)
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
    by source.ip, agent.id
 | where
    Esql.http_response_status_code_count > 10
@@ -2,7 +2,7 @@
 creation_date = "2025/11/19"
 integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
-updated_date = "2025/12/01"
+updated_date = "2025/12/05"

 [rule]
 author = ["Elastic"]
@@ -11,7 +11,7 @@ This rule detects unusual spikes in web server requests with uncommon or suspici
 indicate reconnaissance attempts by attackers trying to identify vulnerabilities in web applications or servers. These
 user-agents are often associated with automated tools used for scanning, vulnerability assessment, or brute-force attacks.
 """
-from = "now-9m"
+from = "now-11m"
 interval = "10m"
 language = "esql"
 license = "Elastic License v2"
@@ -101,7 +101,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
    agent.id,
    host.name,
    Esql.url_original_to_lower,
-    Esql.user_agent_original_to_lower
+    Esql.user_agent_original_to_lower,
+    data_stream.namespace
 | stats
    Esql.event_count = count(),
    Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
@@ -109,7 +110,8 @@ from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, log
    Esql.agent_id_values = values(agent.id),
    Esql.url_original_values = values(Esql.url_original_to_lower),
    Esql.user_agent_original_values = values(Esql.user_agent_original_to_lower),
-    Esql.event_dataset_values = values(event.dataset)
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
    by source.ip, agent.id
 | where
    Esql.event_count > 50 and Esql.url_original_count_distinct > 10