An adversary is likely attempting to overwhelm or probe a web application by generating a large number of ‘403’ errors from a single IP address, which could indicate automated scanning or denial-of-service tactics. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance or attack vectors that may escalate to more severe threats.
KQL Query
CommonSecurityLog
| where DeviceProduct =~ "Wazuh"
| where Activity has "Web server 400 error code."
| where Message has "403"
| extend HostName=substring(split(DeviceCustomString1,")")[0],1)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP
| where NumberOfErrors > 400
| sort by NumberOfErrors desc
| extend timestamp = StartTime
id: 2790795b-7dba-483e-853f-44aa0bc9c985
name: Wazuh - Large Number of Web errors from an IP
description: |
'Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://documentation.wazuh.com/current/cloud-security/azure/index.html'
severity: Low
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1110
query: |
CommonSecurityLog
| where DeviceProduct =~ "Wazuh"
| where Activity has "Web server 400 error code."
| where Message has "403"
| extend HostName=substring(split(DeviceCustomString1,")")[0],1)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP
| where NumberOfErrors > 400
| sort by NumberOfErrors desc
| extend timestamp = StartTime
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
version: 1.0.5
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Jordan Ross
support:
tier: Community
categories:
domains: [ "Security - Others", "Networking" ]| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
Scenario: Scheduled Web Crawling by Compliance Tools
Description: A compliance tool like WebHarvy or CrawlTrack is scheduled to crawl a website for accessibility or SEO audits, generating a large number of 403 errors due to restricted access to certain pages.
Filter/Exclusion: Exclude IP addresses associated with known compliance tools or add a filter for user agents containing “WebHarvy” or “CrawlTrack”.
Scenario: Internal Load Testing with JMeter
Description: An internal load testing job using Apache JMeter is simulating high traffic to a web application, which results in 403 errors due to rate limiting or misconfigured access controls.
Filter/Exclusion: Exclude IPs from the internal network or add a filter for user agents containing “JMeter” or “Apache-HttpClient”.
Scenario: Automated Backup or Sync Jobs
Description: A backup tool like rsync or Veeam is attempting to access web-based backups or sync services, leading to 403 errors when accessing restricted endpoints.
Filter/Exclusion: Exclude IPs used by backup systems or add a filter for user agents containing “rsync”, “Veeam”, or “Backup”.
Scenario: Admin Task - Web Server Configuration Audit
Description: An admin is manually testing web server configurations using tools like curl or wget to verify access controls, which results in 403 errors when testing restricted directories.
Filter/Exclusion: Exclude IPs used by admin workstations or add a filter for user agents containing “curl”, “wget”, or “Mozilla/5.0 (Admin)”.
Scenario: API Gateway Rate Limiting
Description: An API gateway (e.g., NGINX Plus, Kong)