nginx(opens in a new tab or window)
apache(opens in a new tab or window)
apache_tomcat(opens in a new tab or window)
from logs-network_traffic.http-*, logs-network_traffic.tls-*, logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*
| eval Esql.user_agent_original_lower = to_lower(user_agent.original)
| where
(url.original is not null or url.full is not null) and
(
Esql.user_agent_original_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/74.0.3729.169 safari/537.36" or // Nikto
Esql.user_agent_original_lower like "nikto*" or // Nikto
Esql.user_agent_original_lower like "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)" or // Nessus Vulnerability Scanner
Esql.user_agent_original_lower like "*nessus*" or // Nessus Vulnerability Scanner
Esql.user_agent_original_lower like "sqlmap/*" or // SQLMap
Esql.user_agent_original_lower like "wpscan*" or // WPScan
Esql.user_agent_original_lower like "feroxbuster/*" or // Feroxbuster
Esql.user_agent_original_lower like "masscan*" or // Masscan & masscan-ng
Esql.user_agent_original_lower like "fuzz*" or // Ffuf
Esql.user_agent_original_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/user_agent.original like~ 87.0.4280.88 safari/537.36" or // Dirsearch
Esql.user_agent_original_lower like "mozilla/4.0 (compatible; msie 6.0; windows nt 5.1)" or // Dirb
Esql.user_agent_original_lower like "dirbuster*" or // Dirbuster
Esql.user_agent_original_lower like "gobuster/*" or // Gobuster
Esql.user_agent_original_lower like "*dirsearch*" or // dirsearch
Esql.user_agent_original_lower like "*nmap*" or // Nmap Scripting Engine
Esql.user_agent_original_lower like "*hydra*" or // Hydra Brute Forcer
Esql.user_agent_original_lower like "*w3af*" or // w3af Web Application Attack and Audit Framework
Esql.user_agent_original_lower like "*arachni*" or // Arachni Web Application Security Scanner
Esql.user_agent_original_lower like "*skipfish*" or // Skipfish Web Application Security Scanner
Esql.user_agent_original_lower like "*openvas*" or // OpenVAS Vulnerability Scanner
Esql.user_agent_original_lower like "*acunetix*" or // Acunetix Vulnerability Scanner
Esql.user_agent_original_lower like "*zap*" or // OWASP ZAP
Esql.user_agent_original_lower like "*burp*" // Burp Suite
)
| eval Esql.url_text = case(url.original is not null, url.original, url.full)
| eval Esql.url_lower = to_lower(Esql.url_text)
| keep
@timestamp,
event.dataset,
user_agent.original,
source.ip,
agent.id,
host.name,
Esql.url_lower,
Esql.user_agent_original_lower
| stats
Esql.event_count = count(),
Esql.url_path_count_distinct = count_distinct(Esql.url_lower),
Esql.host_name_values = values(host.name),
Esql.agent_id_values = values(agent.id),
Esql.url_path_values = values(Esql.url_lower),
Esql.user_agent_original_values = values(Esql.user_agent_original_lower),
Esql.event_dataset_values = values(event.dataset)
by source.ip, agent.id
| where
Esql.event_count > 50 and Esql.url_path_count_distinct > 10
Install detection rules in Elastic Security
Detect Web Server Suspicious User Agent Requests in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).