Techniques
Sample rules
Cisco SA - Automated Web Reconnaissance via HTTP Access Errors
- source: splunk
- technicques:
Description
This analytic detects probable automated web reconnaissance using Cisco Secure Access proxy telemetry. A high volume of HTTP client errors (401/403/404/etc) across many unique URLs in a short window is consistent with directory/file enumeration behavior generated by tools such as Gobuster, DirBuster, ffuf, or Burp Intruder. Detecting this pattern helps identify pre-exploitation scanning activity, insider reconnaissance, compromised endpoints performing discovery, and attempts to find hidden administrative paths, APIs, backups, and exposed application files.
Detection logic
`cisco_secure_access_proxy`
| eval src_ip=coalesce(src_ip, src)
| eval host=coalesce(hostname, host)
| eval user=coalesce(user, identities)
| eval status=tonumber(status)
| eval domain=replace(url, "^https?://([^/]+).*$", "\\1")
| eval user_agent=coalesce(http_user_agent, user_agent)
| where status IN (400, 401, 403, 404, 405, 407, 414, 429, 431)
| bucket _time span=10m
| stats count as errors dc(url) as unique_urls values(status) as statuses values(user_agent) as user_agent values(host) as host values(user) as user by src_ip domain _time
| where errors > 100 AND unique_urls > 50
| eval firstTime=_time, lastTime=_time
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_sa___automated_web_reconnaissance_via_http_access_errors_filter`