Skip to content

[Rule Tuning] Potential Spike in Web Server Error Logs #5358

New issue
New issue
Closed
#5359
Closed
[Rule Tuning] Potential Spike in Web Server Error Logs#5358
#5359
Assignees
eric-forte-elastic
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEbackport: auto
@eric-forte-elastic

Description

@eric-forte-elastic
eric-forte-elastic
opened on Nov 24, 2025

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml

Rule Tuning Type

Data Quality - Ensuring integrity and quality of data used by detection rules.

Description

https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml is using the wrong indices. The should be logs-{integration}.error-* instead of logs-{integration}.access-* (Caught by @w0rk3r )

Example Data

No response

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEbackport: auto

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions