Description
This is a collection of SIEM detection rules in Elastic Security for web server logs based on the Sigma project. This rule collection checks about suspicious events to find common threats.
Elastic Security detection rules based on Sigma rules
Apache Segmentation Fault
Detects a segmentation fault error message caused by a creashing apache worker process
Apache Threading Error
Detects an issue in apache logs that reports threading related errors
Citrix Netscaler Attack CVE-2019-19781
Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
Oracle WebLogic Exploit
Detects access to a webshell dropped into a keystore folder on the WebLogic server
Confluence Exploitation CVE-2019-3398
Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398
CVE-2020-0688 Exchange Exploitation via Web Log
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
Oracle WebLogic Exploit CVE-2020-14882
Detects exploitation attempts on WebLogic servers
Cisco ASA FTD Exploit CVE-2020-3452
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
Oracle WebLogic Exploit CVE-2021-2109
Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
CVE-2021-21978 Exploitation Attempt
Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978
CVE-2020-0688 Exploitation Attempt
Detects CVE-2020-0688 Exploitation attempts
Exchange Exploitation Used by HAFNIUM
Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
Fortinet CVE-2018-13379 Exploitation
Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
Pulse Secure Attack CVE-2019-11510
Detects CVE-2019-11510 exploitation attempt – URI contains Guacamole
CVE-2020-10148 SolarWinds Orion API Auth Bypass
Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts
Solarwinds SUPERNOVA Webshell Access
Detects access to SUPERNOVA webshell as described in Guidepoint report
SonicWall SSL/VPN Jarrewrite Exploit
Detects exploitation attempts of the SonicWall Jarrewrite Exploit
Source Code Enumeration Detection by Keyword
Detects source code enumeration that use GET requests by keyword searches in URL strings
TerraMaster TOS CVE-2020-28188
Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
DEWMODE Webshell Access
Detects access to DEWMODE webshell as described in FIREEYE report
CVE-2021-21972 VSphere Exploitation
Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
Webshell Detection by Keyword
Detects webshells that use GET requests by keyword searches in URL strings
Exchange PowerShell Snap-Ins Used by HAFNIUM
Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM
Webshell ReGeorg Detection Via Web Logs
Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
Source
These rules are made by the Sigma Project. This is a collection of rules for several different attack tactics. The rules are created by the Sigma community and translated into the format for the Elastic Security Detection engine.
The translation was made with SIEGMA
| Tested versions | 7.x |
| ECS compliant | Yes |
You must log in to submit a review.
