IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Cross Site Scripting (XSS)
editPotential Cross Site Scripting (XSS)
editCross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts.
Rule type: eql
Rule indices:
- apm--transaction
- traces-apm*
Severity: low
Risk score: 21
Runs every: 60m
Searches indices from: now-119m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Data Source: APM
- Use Case: Threat Detection
- Tactic: Initial Access
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editany where processor.name == "transaction" and url.fragment : ("<iframe*", "*prompt(*)*", "<script*>", "<svg*>", "*onerror=*", "*javascript*alert*", "*eval*(*)*", "*onclick=*", "*alert(document.cookie)*", "*alert(document.domain)*","*onresize=*","*onload=*","*onmouseover=*")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Drive-by Compromise
- ID: T1189
- Reference URL: https://attack.mitre.org/techniques/T1189/