LoFP LoFP / aggressive web vulnerability scanners, qa automation, uptime monitoring, and authorized security assessments can generate high http error volumes with large url diversity. tune by allow-listing known scanner hosts, user agents, test domains, and approved assessment windows using the filter macro.

Techniques

Sample rules

Cisco SA - Automated Web Reconnaissance via HTTP Access Errors

Description

This analytic detects probable automated web reconnaissance using Cisco Secure Access proxy telemetry. A high volume of HTTP client errors (401/403/404/etc) across many unique URLs in a short window is consistent with directory/file enumeration behavior generated by tools such as Gobuster, DirBuster, ffuf, or Burp Intruder. Detecting this pattern helps identify pre-exploitation scanning activity, insider reconnaissance, compromised endpoints performing discovery, and attempts to find hidden administrative paths, APIs, backups, and exposed application files.

Detection logic

`cisco_secure_access_proxy`

| eval src_ip=coalesce(src_ip, src)

| eval host=coalesce(hostname, host)

| eval user=coalesce(user, identities)

| eval status=tonumber(status)

| eval domain=replace(url, "^https?://([^/]+).*$", "\\1")

| eval user_agent=coalesce(http_user_agent, user_agent)

| where status IN (400, 401, 403, 404, 405, 407, 414, 429, 431)

| bucket _time span=10m

| stats count as errors dc(url) as unique_urls values(status) as statuses values(user_agent) as user_agent values(host) as host values(user) as user by src_ip domain _time

| where errors > 100 AND unique_urls > 50

| eval firstTime=_time, lastTime=_time

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_sa___automated_web_reconnaissance_via_http_access_errors_filter`