Potential HTTP Downgrade Attack

 1[metadata]
 2creation_date = "2025/11/27"
 3integration = ["nginx", "apache", "apache_tomcat"]
 4maturity = "production"
 5updated_date = "2025/11/27"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying
11HTTP traffic that uses a different HTTP version than the one typically used in the environment. An
12HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version, 
13resulting in potentially less secure communication. For example, an attacker might downgrade a
14connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in
15the older protocol versions.
16"""
17from = "now-9m"
18index = [
19        "logs-nginx.access-*",
20        "logs-apache.access-*",
21        "logs-apache_tomcat.access-*",
22]
23language = "kuery"
24license = "Elastic License v2"
25name = "Potential HTTP Downgrade Attack"
26risk_score = 21
27rule_id = "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e"
28severity = "low"
29tags = [
30    "Domain: Web",
31    "Use Case: Threat Detection",
32    "Tactic: Defense Evasion",
33    "Data Source: Nginx",
34    "Data Source: Apache",
35    "Data Source: Apache Tomcat",
36]
37timestamp_override = "event.ingested"
38type = "new_terms"
39query = '''
40http.version:*
41'''
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45
46[[rule.threat.technique]]
47id = "T1562"
48name = "Impair Defenses"
49reference = "https://attack.mitre.org/techniques/T1562/"
50
51[[rule.threat.technique.subtechnique]]
52id = "T1562.010"
53name = "Downgrade Attack"
54reference = "https://attack.mitre.org/techniques/T1562/010/"
55
56[rule.threat.tactic]
57id = "TA0005"
58name = "Defense Evasion"
59reference = "https://attack.mitre.org/tactics/TA0005/"
60
61[rule.new_terms]
62field = "new_terms_fields"
63value = ["http.version", "agent.id"]
64
65[[rule.new_terms.history_window_start]]
66field = "history_window_start"
67value = "now-7d"