Elastic Security Detection Rules

Web Server Potential Spike in Error Response Codes

Last updated 2 days ago on 2025-11-24
Created 7 days ago on 2025-11-19

About

This rule detects unusual spikes in error response codes (500, 502, 503, 504) from web servers, which may indicate reconnaissance activities such as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side issues that could be exploited.
Tags
Domain: WebDomain: NetworkUse Case: Threat DetectionTactic: ReconnaissanceData Source: Network Packet CaptureData Source: NginxData Source: ApacheData Source: Apache TomcatData Source: IISLanguage: esql
Severity
low
Risk Score
21
MITRE ATT&CK™

Reconnaissance (TA0043)(opens in a new tab or window)

Active Scanning (T1595)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

network_traffic(opens in a new tab or window)

nginx(opens in a new tab or window)

apache(opens in a new tab or window)

apache_tomcat(opens in a new tab or window)

iis(opens in a new tab or window)

Query
from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
| where
    (url.original is not null or url.full is not null) and
    http.request.method == "GET" and
    http.response.status_code in (
      500, // Internal Server Error
      502, // Bad Gateway
      503, // Service Unavailable
      504 // Gateway Timeout
    )
| eval Esql.url_text  = case(url.original is not null, url.original, url.full)
| eval Esql.url_lower = to_lower(Esql.url_text)

| keep
    @timestamp,
    event.dataset,
    http.request.method,
    http.response.status_code,
    source.ip,
    agent.id,
    host.name,
    Esql.url_lower
| stats
    Esql.event_count = count(),
    Esql.http_response_status_code_count = count(http.response.status_code),
    Esql.http_response_status_code_values = values(http.response.status_code),
    Esql.host_name_values = values(host.name),
    Esql.agent_id_values = values(agent.id),
    Esql.http_request_method_values = values(http.request.method),
    Esql.http_response_status_code_values = values(http.response.status_code),
    Esql.url_path_values = values(Esql.url_lower),
    Esql.event_dataset_values = values(event.dataset)
    by source.ip, agent.id
| where
    Esql.http_response_status_code_count > 10

Install detection rules in Elastic Security

Detect Web Server Potential Spike in Error Response Codes in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).