Web Application Suspicious Activity: POST Request Declined

A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3integration = ["apm"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10A POST request to a web application returned a 403 response, which indicates the web application declined to process the
11request because the action requested was not allowed.
12"""
13false_positives = [
14    """
15    Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers
16    of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate
17    suspicious or malicious activity.
18    """,
19]
20index = ["apm-*-transaction*", "traces-apm*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Web Application Suspicious Activity: POST Request Declined"
24references = ["https://en.wikipedia.org/wiki/HTTP_403"]
25risk_score = 47
26rule_id = "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e"
27severity = "medium"
28tags = ["Data Source: APM"]
29timestamp_override = "event.ingested"
30type = "query"
31
32query = '''
33http.response.status_code:403 and http.request.method:post
34'''

References

Related rules

to-top