Web Application Suspicious Activity: POST Request Declined

calendar Jun 22, 2023 · Data Source: APM  ·
Share on: linkedin copy

A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3integration = ["apm"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12A POST request to a web application returned a 403 response, which indicates the web application declined to process the
13request because the action requested was not allowed.
14"""
15false_positives = [
16    """
17    Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers
18    of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate
19    suspicious or malicious activity.
20    """,
21]
22index = ["apm-*-transaction*", "traces-apm*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Web Application Suspicious Activity: POST Request Declined"
26references = ["https://en.wikipedia.org/wiki/HTTP_403"]
27risk_score = 47
28rule_id = "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e"
29severity = "medium"
30tags = ["Data Source: APM"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35http.response.status_code:403 and http.request.method:post
36'''

References

  • HTTP 403 - Wikipedia

    HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it, if it was correct. HTTP 403 provides a distinct er...


    Read More

Related rules

to-top