Potential Spike in Web Server Error Logs

Last updated a day ago on 2025-11-25

Created 7 days ago on 2025-11-19

About

This rule detects unusual spikes in error logs from web servers, which may indicate reconnaissance activities such as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side issues that could be exploited.

Tags

Domain: WebUse Case: Threat DetectionTactic: ReconnaissanceData Source: NginxData Source: ApacheData Source: Apache TomcatData Source: IISLanguage: esql

Severity

low

Risk Score

MITRE ATT&CK™

Reconnaissance (TA0043)(opens in a new tab or window)

↳ Active Scanning (T1595)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

nginx(opens in a new tab or window)

apache(opens in a new tab or window)

apache_tomcat(opens in a new tab or window)

iis(opens in a new tab or window)

Query

from logs-nginx.error-*, logs-apache_tomcat.error-*, logs-apache.error-*, logs-iis.error-*
| keep
    @timestamp,
    event.type,
    event.dataset,
    source.ip,
    agent.id,
    host.name
| where source.ip is not null
| stats
    Esql.event_count = count(),
    Esql.host_name_values = values(host.name),
    Esql.agent_id_values = values(agent.id),
    Esql.event_dataset_values = values(event.dataset)
    by source.ip, agent.id
| where
    Esql.event_count > 25

Install detection rules in Elastic Security

Detect Potential Spike in Web Server Error Logs in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).