Elastic Security Detection Rules

Potential HTTP Downgrade Attack

Last updated 8 days ago on 2025-11-27

Created 8 days ago on 2025-11-27

About

Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying HTTP traffic that uses a different HTTP version than the one typically used in the environment. An HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version, resulting in potentially less secure communication. For example, an attacker might downgrade a connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in the older protocol versions.

Tags

Domain: WebUse Case: Threat DetectionTactic: Defense EvasionData Source: NginxData Source: ApacheData Source: Apache TomcatLanguage: kuery

Severity

low

Risk Score

21

MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Impair Defenses (T1562)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

New Terms Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-nginx.access-*logs-apache.access-*logs-apache_tomcat.access-*

Related Integrations

nginx(opens in a new tab or window)

apache(opens in a new tab or window)

apache_tomcat(opens in a new tab or window)

Query

http.version:*

Install detection rules in Elastic Security

Detect Potential HTTP Downgrade Attack in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).