Potential Cross Site Scripting (XSS)

edit

Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts.

Rule type: eql

Rule indices:

  • apm--transaction
  • traces-apm*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Data Source: APM
  • Use Case: Threat Detection
  • Tactic: Initial Access

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
any where processor.name == "transaction" and
url.fragment : ("<iframe*", "*prompt(*)*", "<script*>", "<svg*>", "*onerror=*", "*javascript*alert*", "*eval*(*)*", "*onclick=*",
"*alert(document.cookie)*", "*alert(document.domain)*","*onresize=*","*onload=*","*onmouseover=*")

Framework: MITRE ATT&CKTM