Skip to content

[New Rule] Web Server Unusual Spike in Error Logs #5339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Nov 24, 2025
Merged

[New Rule] Web Server Unusual Spike in Error Logs #5339

Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
f029965
[New Rule] Web Server Unusual Spike in Error Logs
Aegrah Nov 19, 2025
08a0cca
Update reconnaissance_web_server_unusual_spike_in_error_logs.toml
Aegrah Nov 19, 2025
600a47d
Update rules/cross-platform/reconnaissance_web_server_unusual_spike_i…
Aegrah Nov 21, 2025
cf96054
++
Aegrah Nov 24, 2025
a3ea367
Remove event limit from error log rule
Aegrah Nov 24, 2025
32c17d8
Rename rule to 'Web Server Potential Spike in Error Logs'
Aegrah Nov 24, 2025
21a6d4c
Merge branch 'main' into new-rule-spike-error-logs
terrancedejesus Nov 24, 2025
b6c6da4
Merge branch 'main' into new-rule-spike-error-logs
terrancedejesus Nov 24, 2025
8d8bebf
Update rules/cross-platform/reconnaissance_web_server_unusual_spike_i…
terrancedejesus Nov 24, 2025
828dfa5
Update rules/cross-platform/reconnaissance_web_server_unusual_spike_i…
terrancedejesus Nov 24, 2025
a006383
Update rules/cross-platform/reconnaissance_web_server_unusual_spike_i…
terrancedejesus Nov 24, 2025
037fc0d
Merge branch 'main' into new-rule-spike-error-logs
terrancedejesus Nov 24, 2025
da7c540
Update rules/cross-platform/reconnaissance_web_server_unusual_spike_i…
terrancedejesus Nov 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 75 additions & 0 deletions rules/cross-platform/reconnaissance_web_server_unusual_spike_in_error_logs.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
[metadata]
creation_date = "2025/11/19"
integration = ["nginx", "apache", "apache_tomcat", "iis"]
maturity = "production"
updated_date = "2025/11/19"

[rule]
author = ["Elastic"]
description = """
This rule detects unusual spikes in error logs from web servers, which may indicate reconnaissance activities such
as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error
responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side
issues that could be exploited.
"""
from = "now-9m"
interval = "10m"
language = "esql"
license = "Elastic License v2"
name = "Potential Spike in Web Server Error Logs"
risk_score = 21
rule_id = "6631a759-4559-4c33-a392-13f146c8bcc4"
severity = "low"
tags = [
"Domain: Web",
"Use Case: Threat Detection",
"Tactic: Reconnaissance",
"Data Source: Nginx",
"Data Source: Apache",
"Data Source: Apache Tomcat",
"Data Source: IIS",
]
timestamp_override = "event.ingested"
type = "esql"
query = '''
from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
| keep
@timestamp,
event.type,
event.dataset,
source.ip,
agent.id,
host.name
| where source.ip is not null
| stats
Esql.event_count = count(),
Esql.host_name_values = values(host.name),
Esql.agent_id_values = values(agent.id),
Esql.event_dataset_values = values(event.dataset)
by source.ip, agent.id
| where
Esql.event_count > 25
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1595"
name = "Active Scanning"
reference = "https://attack.mitre.org/techniques/T1595/"

[[rule.threat.technique.subtechnique]]
id = "T1595.002"
name = "Vulnerability Scanning"
reference = "https://attack.mitre.org/techniques/T1595/002/"

[[rule.threat.technique.subtechnique]]
id = "T1595.003"
name = "Wordlist Scanning"
reference = "https://attack.mitre.org/techniques/T1595/003/"

[rule.threat.tactic]
id = "TA0043"
name = "Reconnaissance"
reference = "https://attack.mitre.org/tactics/TA0043/"
Loading