Elastic security


This is a collection of SIEM detection rules in Elastic Security for web server logs based on the Sigma project. This rule collection checks about suspicious events to find common threats.

Elastic Security detection rules based on Sigma rules

Apache Segmentation Fault
Detects a segmentation fault error message caused by a creashing apache worker process

Apache Threading Error
Detects an issue in apache logs that reports threading related errors

Citrix Netscaler Attack CVE-2019-19781
Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack

Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195

Oracle WebLogic Exploit
Detects access to a webshell dropped into a keystore folder on the WebLogic server

Confluence Exploitation CVE-2019-3398
Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398

CVE-2020-0688 Exchange Exploitation via Web Log
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Oracle WebLogic Exploit CVE-2020-14882
Detects exploitation attempts on WebLogic servers

Cisco ASA FTD Exploit CVE-2020-3452
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)

CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902

Oracle WebLogic Exploit CVE-2021-2109
Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109

CVE-2021-21978 Exploitation Attempt
Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978

CVE-2020-0688 Exploitation Attempt
Detects CVE-2020-0688 Exploitation attempts

Exchange Exploitation Used by HAFNIUM
Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity

Fortinet CVE-2018-13379 Exploitation
Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs

Pulse Secure Attack CVE-2019-11510
Detects CVE-2019-11510 exploitation attempt – URI contains Guacamole

CVE-2020-10148 SolarWinds Orion API Auth Bypass
Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts

Solarwinds SUPERNOVA Webshell Access
Detects access to SUPERNOVA webshell as described in Guidepoint report

SonicWall SSL/VPN Jarrewrite Exploit
Detects exploitation attempts of the SonicWall Jarrewrite Exploit

Source Code Enumeration Detection by Keyword
Detects source code enumeration that use GET requests by keyword searches in URL strings

TerraMaster TOS CVE-2020-28188
Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188

DEWMODE Webshell Access
Detects access to DEWMODE webshell as described in FIREEYE report

CVE-2021-21972 VSphere Exploitation
Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972

Webshell Detection by Keyword
Detects webshells that use GET requests by keyword searches in URL strings

Exchange PowerShell Snap-Ins Used by HAFNIUM
Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM

Webshell ReGeorg Detection Via Web Logs
Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.


These rules are made by the Sigma Project. This is a collection of rules for several different attack tactics. The rules are created by the Sigma community and translated into the format for the Elastic Security Detection engine.

The translation was made with SIEGMA 

Tested versions 7.x
ECS compliant Yes

You must log in to submit a review.

Related downloads

Vega Clock UTC

This is a working clock visualization in UTC time.

Sigma Windows Process Creation detection rules

A collection of rules based on the Sigma rules for Windows (process creation folder) based on Winlogbeat data .

APM Services overview canvas

Average rating:

An adaptive turn key canvas example based on Elastic APM data.

Ask Me Anything Booth – Canvas Example

This is an example canvas page that shows how to visualize using canvas in general.

Cloudflare Kibana dashboards

Cloudflare dashboards and ingest pipelines to visualize cloudflare logs

Vega Compound Gauge

This is a compund gauge visualization made with Vega. Its very helpful for visualization of percentage values.

These downloads could be also interesting for you

Vega advanced heat map

Vega example to show GitHub commits per author per hour of day.

Buttons for Kibana dashboards

Link to every content you want within your Kibana dashboards. This example is using links to cloud providers.

Kibana alerting enhancement

This bundle enhances the Kibana alerting experience. Storing all relevant information in indices and visualize the data in dashboards.

Office 365 dashboards

A collection of Kibana dashboards to provide a holistic view of Microsoft Office 365 environments

ACSC Advisory IOCs detection rules

ACSC Advisory IOCs detection rules for Elastic SIEM

Google Cloud Log Ingestion dashboard

Canvas Board to analyze the log data collection of Google Cloud via Dataflow using the Google Cloud Metric module data