Elastic Security Detection Rules

Web Server Discovery or Fuzzing Activity

Last updated a month ago on 2025-12-05
Created 2 months ago on 2025-11-19

About

This rule detects potential web server discovery or fuzzing activity by identifying a high volume of HTTP GET requests resulting in 404 or 403 status codes from a single source IP address within a short timeframe. Such patterns may indicate that an attacker is attempting to discover hidden or unlinked resources on a web server, which can be a precursor to more targeted attacks.
Tags
Domain: WebUse Case: Threat DetectionTactic: ReconnaissanceData Source: NginxData Source: ApacheData Source: Apache TomcatData Source: IISLanguage: esql
Severity
low
Risk Score
21
MITRE ATT&CK™

Reconnaissance (TA0043)(external, opens in a new tab or window)

Active Scanning (T1595)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

nginx(external, opens in a new tab or window)

apache(external, opens in a new tab or window)

apache_tomcat(external, opens in a new tab or window)

iis(external, opens in a new tab or window)

Query
text code block:
from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
| where
    http.request.method == "GET" and 
    http.response.status_code in (404, 403)

| eval Esql.url_original_to_lower = to_lower(url.original)

| keep
    @timestamp,
    event.dataset,
    http.request.method,
    http.response.status_code,
    source.ip,
    agent.id,
    host.name,
    Esql.url_original_to_lower,
    data_stream.namespace

| stats
    Esql.event_count = count(),
    Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),
    Esql.host_name_values = values(host.name),
    Esql.agent_id_values = values(agent.id),
    Esql.http_request_method_values = values(http.request.method),
    Esql.http_response_status_code_values = values(http.response.status_code),
    Esql.url_original_values = values(Esql.url_original_to_lower),
    Esql.event_dataset_values = values(event.dataset),
    Esql.data_stream_namespace_values = values(data_stream.namespace)
    by source.ip
| where
  Esql.event_count > 500 and Esql.url_original_count_distinct > 250

Install detection rules in Elastic Security

Detect Web Server Discovery or Fuzzing Activity in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).