[Rule Tuning] Added Traefik Compatibility to Web Server Access Rules (#5837)

* [Rule Tuning] Added Traefik Compatibility to Web Server Access Rules

* ++

* Bump pyproject.toml

* Bump pyproject.toml

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.6.2"
+version = "1.6.3"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/cross-platform/defense_evasion_potential_http_downgrade_attack.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/11/27"
-integration = ["nginx", "apache", "apache_tomcat"]
+integration = ["nginx", "apache", "apache_tomcat", "traefik"]
 maturity = "production"
-updated_date = "2025/12/08"
+updated_date = "2026/03/16"
 
 [rule]
 author = ["Elastic"]
@@ -19,6 +19,7 @@ index = [
         "logs-nginx.access-*",
         "logs-apache.access-*",
         "logs-apache_tomcat.access-*",
+        "logs-traefik.access-*",
 ]
 language = "kuery"
 license = "Elastic License v2"
@@ -63,6 +64,7 @@ tags = [
     "Data Source: Nginx",
     "Data Source: Apache",
     "Data Source: Apache Tomcat",
+    "Data Source: Traefik",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"

rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2025/12/02"
-integration = ["nginx", "apache", "apache_tomcat", "iis"]
+integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
 min_stack_version = "9.2.0"
 min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
-updated_date = "2025/12/08"
+updated_date = "2026/03/16"
 
 [rule]
 author = ["Elastic"]
@@ -60,6 +60,7 @@ tags = [
     "Data Source: Apache",
     "Data Source: Apache Tomcat",
     "Data Source: IIS",
+    "Data Source: Traefik",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -69,7 +70,8 @@ from
   logs-nginx.access-*,
   logs-apache.access-*,
   logs-apache_tomcat.access-*,
-  logs-iis.access-*
+  logs-iis.access-*,
+  logs-traefik.access-*
 | where
     http.request.method == "GET" and
     http.response.status_code == 200 and

rules/cross-platform/discovery_web_server_remote_file_inclusion_activity.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2025/12/02"
-integration = ["nginx", "apache", "apache_tomcat", "iis"]
+integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
 min_stack_version = "9.2.0"
 min_stack_comments = "The esql url_decode() operator was introduced in version 9.2.0"
-updated_date = "2025/12/08"
+updated_date = "2026/03/16"
 
 [rule]
 author = ["Elastic"]
@@ -62,6 +62,7 @@ tags = [
     "Data Source: Apache",
     "Data Source: Apache Tomcat",
     "Data Source: IIS",
+    "Data Source: Traefik",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
@@ -71,7 +72,8 @@ from
   logs-nginx.access-*,
   logs-apache.access-*,
   logs-apache_tomcat.access-*,
-  logs-iis.access-*
+  logs-iis.access-*,
+  logs-traefik.access-*
 | where
     http.request.method == "GET" and
     http.response.status_code == 200 and

rules/cross-platform/persistence_web_server_potential_command_injection.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/11/19"
-integration = ["nginx", "apache", "apache_tomcat", "iis"]
+integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
-updated_date = "2025/12/05"
+updated_date = "2026/03/16"
 
 [rule]
 author = ["Elastic"]
@@ -64,12 +64,13 @@ tags = [
     "Data Source: Apache",
     "Data Source: Apache Tomcat",
     "Data Source: IIS",
+    "Data Source: Traefik",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "esql"
 query = '''
-from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
+from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-*
 | where
     // Limit to 200 response code to reduce noise
     http.response.status_code == 200

rules/cross-platform/reconnaissance_web_server_discovery_or_fuzzing_activity.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/11/19"
-integration = ["nginx", "apache", "apache_tomcat", "iis"]
+integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
-updated_date = "2025/12/05"
+updated_date = "2026/03/16"
 
 [rule]
 author = ["Elastic"]
@@ -58,12 +58,13 @@ tags = [
     "Data Source: Apache",
     "Data Source: Apache Tomcat",
     "Data Source: IIS",
+    "Data Source: Traefik",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "esql"
 query = '''
-from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
+from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-*
 | where
     http.request.method == "GET" and 
     http.response.status_code in (404, 403)

rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/11/19"
-integration = ["nginx", "apache", "apache_tomcat", "iis"]
+integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
-updated_date = "2025/12/05"
+updated_date = "2026/03/16"
 
 [rule]
 author = ["Elastic"]
@@ -59,12 +59,13 @@ tags = [
     "Data Source: Apache",
     "Data Source: Apache Tomcat",
     "Data Source: IIS",
+    "Data Source: Traefik",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "esql"
 query = '''
-from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
+from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-*
 | where
     http.request.method == "GET" and
     http.response.status_code in (

rules/cross-platform/reconnaissance_web_server_unusual_user_agents.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/11/19"
-integration = ["nginx", "apache", "apache_tomcat", "iis"]
+integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
-updated_date = "2025/12/05"
+updated_date = "2026/03/16"
 
 [rule]
 author = ["Elastic"]
@@ -59,12 +59,13 @@ tags = [
     "Data Source: Apache",
     "Data Source: Apache Tomcat",
     "Data Source: IIS",
+    "Data Source: Traefik",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "esql"
 query = '''
-from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
+from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-*
 
 | eval Esql.user_agent_original_to_lower = to_lower(user_agent.original), Esql.url_original_to_lower = to_lower(url.original)
 

rules_building_block/persistence_web_server_potential_sql_injection.toml

@@ -1,9 +1,9 @@
 [metadata]
 bypass_bbr_timing = true
 creation_date = "2025/11/19"
-integration = ["nginx", "apache", "apache_tomcat", "iis"]
+integration = ["nginx", "apache", "apache_tomcat", "iis", "traefik"]
 maturity = "production"
-updated_date = "2025/11/19"
+updated_date = "2026/03/16"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,8 @@ index = [
         "logs-nginx.access-*",
         "logs-apache.access-*",
         "logs-apache_tomcat.access-*",
-        "logs-iis.access-*"
+        "logs-iis.access-*",
+        "logs-traefik.access-*"
 ]
 interval = "10m"
 language = "eql"
@@ -39,6 +40,7 @@ tags = [
     "Data Source: Apache",
     "Data Source: Apache Tomcat",
     "Data Source: IIS",
+    "Data Source: Traefik",
     "Rule Type: BBR",
 ]
 timestamp_override = "event.ingested"