forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
apm_403_response_to_a_post.toml
35 lines (32 loc) · 1.09 KB
/
apm_403_response_to_a_post.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[metadata]
creation_date = "2020/02/18"
integration = ["apm"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
A POST request to a web application returned a 403 response, which indicates the web application declined to process the
request because the action requested was not allowed.
"""
false_positives = [
"""
Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers
of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate
suspicious or malicious activity.
""",
]
index = ["apm-*-transaction*", "traces-apm*"]
language = "kuery"
license = "Elastic License v2"
name = "Web Application Suspicious Activity: POST Request Declined"
references = ["https://en.wikipedia.org/wiki/HTTP_403"]
risk_score = 47
rule_id = "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e"
severity = "medium"
tags = ["Data Source: APM"]
timestamp_override = "event.ingested"
type = "query"
query = '''
http.response.status_code:403 and http.request.method:post
'''