Elastic Security Detection Rules

Web Server Discovery or Fuzzing Activity

Last updated 2 days ago on 2025-11-24
Created 7 days ago on 2025-11-19

About

This rule detects potential web server discovery or fuzzing activity by identifying a high volume of HTTP GET requests resulting in 404 or 403 status codes from a single source IP address within a short timeframe. Such patterns may indicate that an attacker is attempting to discover hidden or unlinked resources on a web server, which can be a precursor to more targeted attacks.
Tags
Domain: WebDomain: NetworkUse Case: Threat DetectionTactic: ReconnaissanceData Source: Network Packet CaptureData Source: NginxData Source: ApacheData Source: Apache TomcatData Source: IISLanguage: esql
Severity
low
Risk Score
21
MITRE ATT&CK™

Reconnaissance (TA0043)(opens in a new tab or window)

Active Scanning (T1595)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

network_traffic(opens in a new tab or window)

nginx(opens in a new tab or window)

apache(opens in a new tab or window)

apache_tomcat(opens in a new tab or window)

iis(opens in a new tab or window)

Query
from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
| where
    (url.original is not null or url.full is not null) and
    http.request.method == "GET" and 
    http.response.status_code in (404, 403)

| eval Esql.url_text  = case(url.original is not null, url.original, url.full)
| eval Esql.url_lower = to_lower(Esql.url_text)

| keep
    @timestamp,
    event.dataset,
    http.request.method,
    http.response.status_code,
    source.ip,
    agent.id,
    host.name,
    Esql.url_lower
| stats
    Esql.event_count = count(),
    Esql.url_lower_count_distinct = count_distinct(Esql.url_lower),
    Esql.host_name_values = values(host.name),
    Esql.agent_id_values = values(agent.id),
    Esql.http_request_method_values = values(http.request.method),
    Esql.http_response_status_code_values = values(http.response.status_code),
    Esql.url_path_values = values(Esql.url_lower),
    Esql.event_dataset_values = values(event.dataset)
    by source.ip
| where
  Esql.event_count > 500 and Esql.url_lower_count_distinct > 250

Install detection rules in Elastic Security

Detect Web Server Discovery or Fuzzing Activity in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).