From f02996598027526764b76ea58f8afa78a784c677 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Wed, 19 Nov 2025 14:30:04 +0100 Subject: [PATCH 01/10] [New Rule] Web Server Unusual Spike in Error Logs --- ...eb_server_unusual_spike_in_error_logs.toml | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml new file mode 100644 index 00000000000..de37b4c8c41 --- /dev/null +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -0,0 +1,86 @@ +[metadata] +creation_date = "2025/11/19" +integration = ["nginx", "apache", "apache_tomcat", "iis"] +maturity = "production" +updated_date = "2025/11/19" + +[rule] +author = ["Elastic"] +description = """ +This rule detects unusual spikes in error logs from web servers, which may indicate reconnaissance activities such +as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error +responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side +issues that could be exploited. +""" +from = "now-61m" +interval = "1h" +language = "esql" +license = "Elastic License v2" +name = "Web Server Unusual Spike in Error Logs" +risk_score = 47 +rule_id = "6631a759-4559-4c33-a392-13f146c8bcc4" +severity = "medium" +tags = [ + "Domain Scope: Single", + "Domain: Web", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Data Source: Network Packet Capture", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", +] +timestamp_override = "event.ingested" +type = "esql" +query = ''' +from + logs-nginx.error-*, + logs-apache.error-*, + logs-apache.error-*, + logs-iis.error-* +| where + @timestamp > now() - 1 hours +| keep + @timestamp, + event.type, + event.dataset, + source.ip, + agent.id, + host.name +| stats + Esql.event_count = count(), + Esql.host_name_values = values(host.name), + Esql.agent_id_values = values(agent.id), + Esql.event_dataset_values = values(event.dataset) + by source.ip +| where + Esql.event_count > 25 +| limit 100 +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1595" +name = "Active Scanning" +reference = "https://attack.mitre.org/techniques/T1595/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.002" +name = "Vulnerability Scanning" +reference = "https://attack.mitre.org/techniques/T1595/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1595.003" +name = "Wordlist Scanning" +reference = "https://attack.mitre.org/techniques/T1595/003/" + +[rule.threat.tactic] +id = "TA0043" +name = "Reconnaissance" +reference = "https://attack.mitre.org/tactics/TA0043/" From 08a0ccac21122fdb1cf8d9d3765095ffa63e4e9d Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 19 Nov 2025 15:16:36 +0100 Subject: [PATCH 02/10] Update reconnaissance_web_server_unusual_spike_in_error_logs.toml --- .../reconnaissance_web_server_unusual_spike_in_error_logs.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml index de37b4c8c41..b25d48ddf8a 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -28,7 +28,6 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Reconnaissance", - "Data Source: Network Packet Capture", "Data Source: Nginx", "Data Source: Apache", "Data Source: Apache Tomcat", From 600a47dc34072dc73b99dfccd8dc950054090dca Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 21 Nov 2025 15:29:53 +0100 Subject: [PATCH 03/10] Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml --- .../reconnaissance_web_server_unusual_spike_in_error_logs.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml index b25d48ddf8a..e6bd8a38402 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -38,7 +38,7 @@ type = "esql" query = ''' from logs-nginx.error-*, - logs-apache.error-*, + logs-apache_tomcat.error-*, logs-apache.error-*, logs-iis.error-* | where From cf96054259b9d8dd799381c0d1efe04e30a26b2d Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Mon, 24 Nov 2025 14:13:13 +0100 Subject: [PATCH 04/10] ++ --- ...e_web_server_unusual_spike_in_error_logs.toml | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml index e6bd8a38402..8419f3e0610 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -12,20 +12,16 @@ as vulnerability scanning or fuzzing attempts by adversaries. These activities o responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side issues that could be exploited. """ -from = "now-61m" -interval = "1h" +from = "now-9m" +interval = "10m" language = "esql" license = "Elastic License v2" name = "Web Server Unusual Spike in Error Logs" -risk_score = 47 +risk_score = 21 rule_id = "6631a759-4559-4c33-a392-13f146c8bcc4" -severity = "medium" +severity = "low" tags = [ - "Domain Scope: Single", "Domain: Web", - "OS: Linux", - "OS: macOS", - "OS: Windows", "Use Case: Threat Detection", "Tactic: Reconnaissance", "Data Source: Nginx", @@ -41,8 +37,6 @@ from logs-apache_tomcat.error-*, logs-apache.error-*, logs-iis.error-* -| where - @timestamp > now() - 1 hours | keep @timestamp, event.type, @@ -55,7 +49,7 @@ from Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), Esql.event_dataset_values = values(event.dataset) - by source.ip + by source.ip, agent.id | where Esql.event_count > 25 | limit 100 From a3ea3678fe1c947d689acfed1f5649aa23cc4ddd Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 24 Nov 2025 14:24:14 +0100 Subject: [PATCH 05/10] Remove event limit from error log rule Removed limit on the number of events in the rule. --- .../reconnaissance_web_server_unusual_spike_in_error_logs.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml index 8419f3e0610..b0e04e79ab1 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -52,7 +52,6 @@ from by source.ip, agent.id | where Esql.event_count > 25 -| limit 100 ''' [[rule.threat]] From 32c17d836df1a6a31d1d1b10ae95063696f23dc8 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 24 Nov 2025 15:41:50 +0100 Subject: [PATCH 06/10] Rename rule to 'Web Server Potential Spike in Error Logs' --- .../reconnaissance_web_server_unusual_spike_in_error_logs.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml index b0e04e79ab1..e0caaa2258e 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -16,7 +16,7 @@ from = "now-9m" interval = "10m" language = "esql" license = "Elastic License v2" -name = "Web Server Unusual Spike in Error Logs" +name = "Web Server Potential Spike in Error Logs" risk_score = 21 rule_id = "6631a759-4559-4c33-a392-13f146c8bcc4" severity = "low" From 8d8bebf1546f9054ed79039760bbed3093619e16 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 24 Nov 2025 13:04:05 -0500 Subject: [PATCH 07/10] Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- .../reconnaissance_web_server_unusual_spike_in_error_logs.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml index e0caaa2258e..e006bf12314 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -16,7 +16,7 @@ from = "now-9m" interval = "10m" language = "esql" license = "Elastic License v2" -name = "Web Server Potential Spike in Error Logs" +name = "Potential Spike in Web Server Error Logs" risk_score = 21 rule_id = "6631a759-4559-4c33-a392-13f146c8bcc4" severity = "low" From 828dfa5b898b24d62505978e314b1214bc62735f Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 24 Nov 2025 13:04:14 -0500 Subject: [PATCH 08/10] Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> --- .../reconnaissance_web_server_unusual_spike_in_error_logs.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml index e006bf12314..55ac02c06a4 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -32,7 +32,7 @@ tags = [ timestamp_override = "event.ingested" type = "esql" query = ''' -from +from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-* logs-nginx.error-*, logs-apache_tomcat.error-*, logs-apache.error-*, From a0063832c1176700d2e00a7ac5ae2821a719fe31 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 24 Nov 2025 13:07:05 -0500 Subject: [PATCH 09/10] Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml --- .../reconnaissance_web_server_unusual_spike_in_error_logs.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml index 55ac02c06a4..540d715321d 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -44,6 +44,7 @@ from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access- source.ip, agent.id, host.name +| where source.ip is not null | stats Esql.event_count = count(), Esql.host_name_values = values(host.name), From da7c54083253a897c0fbecfb880ecff80f03ba0b Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 24 Nov 2025 13:09:42 -0500 Subject: [PATCH 10/10] Update rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml --- ...reconnaissance_web_server_unusual_spike_in_error_logs.toml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml index 540d715321d..f3c90cac1f0 100644 --- a/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml +++ b/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml @@ -33,10 +33,6 @@ timestamp_override = "event.ingested" type = "esql" query = ''' from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-* - logs-nginx.error-*, - logs-apache_tomcat.error-*, - logs-apache.error-*, - logs-iis.error-* | keep @timestamp, event.type,