Reconnaissance (TA0043)(external, opens in a new tab or window)
Credential Access (TA0006)(external, opens in a new tab or window)
nginx(external, opens in a new tab or window)
apache(external, opens in a new tab or window)
text code block:from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-* | eval Esql.user_agent_original_to_lower = to_lower(user_agent.original), Esql.url_original_to_lower = to_lower(url.original) | where Esql.user_agent_original_to_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/74.0.3729.169 safari/537.36" or // Nikto Esql.user_agent_original_to_lower like "nikto*" or // Nikto Esql.user_agent_original_to_lower like "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)" or // Nessus Vulnerability Scanner Esql.user_agent_original_to_lower like "*nessus*" or // Nessus Vulnerability Scanner Esql.user_agent_original_to_lower like "sqlmap/*" or // SQLMap Esql.user_agent_original_to_lower like "wpscan*" or // WPScan Esql.user_agent_original_to_lower like "feroxbuster/*" or // Feroxbuster Esql.user_agent_original_to_lower like "masscan*" or // Masscan & masscan-ng Esql.user_agent_original_to_lower like "fuzz*" or // Ffuf Esql.user_agent_original_to_lower like "mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/user_agent.original like~ 87.0.4280.88 safari/537.36" or // Dirsearch Esql.user_agent_original_to_lower like "mozilla/4.0 (compatible; msie 6.0; windows nt 5.1)" or // Dirb Esql.user_agent_original_to_lower like "dirbuster*" or // Dirbuster Esql.user_agent_original_to_lower like "gobuster/*" or // Gobuster Esql.user_agent_original_to_lower like "*dirsearch*" or // dirsearch Esql.user_agent_original_to_lower like "*nmap*" or // Nmap Scripting Engine Esql.user_agent_original_to_lower like "*hydra*" or // Hydra Brute Forcer Esql.user_agent_original_to_lower like "*w3af*" or // w3af Web Application Attack and Audit Framework Esql.user_agent_original_to_lower like "*arachni*" or // Arachni Web Application Security Scanner Esql.user_agent_original_to_lower like "*skipfish*" or // Skipfish Web Application Security Scanner Esql.user_agent_original_to_lower like "*openvas*" or // OpenVAS Vulnerability Scanner Esql.user_agent_original_to_lower like "*acunetix*" or // Acunetix Vulnerability Scanner Esql.user_agent_original_to_lower like "*zap*" or // OWASP ZAP Esql.user_agent_original_to_lower like "*burp*" // Burp Suite | keep @timestamp, event.dataset, user_agent.original, source.ip, agent.id, host.name, Esql.url_original_to_lower, Esql.user_agent_original_to_lower, data_stream.namespace | stats Esql.event_count = count(), Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower), Esql.host_name_values = values(host.name), Esql.agent_id_values = values(agent.id), Esql.url_original_values = values(Esql.url_original_to_lower), Esql.user_agent_original_values = values(Esql.user_agent_original_to_lower), Esql.event_dataset_values = values(event.dataset), Esql.data_stream_namespace_values = values(data_stream.namespace) by source.ip, agent.id | where Esql.event_count > 50 and Esql.url_original_count_distinct > 10
Install detection rules in Elastic Security
Detect Web Server Suspicious User Agent Requests in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).