GitHub Repo

Detection: Cisco SA - Automated Web Reconnaissance via HTTP Access Errors

Updated Date: 2026-06-09 ID: 4cd44520-d404-4ca8-b736-c9d6b86ecf31 Author: Mahamudul Chowdhury, Bhavin Patel, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

This analytic detects probable automated web reconnaissance using Cisco Secure Access proxy telemetry. A high volume of HTTP client errors (401/403/404/etc) across many unique URLs in a short window is consistent with directory/file enumeration behavior generated by tools such as Gobuster, DirBuster, ffuf, or Burp Intruder. Detecting this pattern helps identify pre-exploitation scanning activity, insider reconnaissance, compromised endpoints performing discovery, and attempts to find hidden administrative paths, APIs, backups, and exposed application files.

 1`cisco_secure_access_proxy`
 2
 3| eval src_ip=coalesce(src_ip, src)
 4
 5| eval host=coalesce(hostname, host)
 6
 7| eval user=coalesce(user, identities)
 8
 9| eval status=tonumber(status)
10
11| eval domain=replace(url, "^https?://([^/]+).*$", "\\1")
12
13| eval user_agent=coalesce(http_user_agent, user_agent)
14
15| where status IN (400, 401, 403, 404, 405, 407, 414, 429, 431)
16
17| bucket _time span=10m
18
19| stats count as errors dc(url) as unique_urls values(status) as statuses values(user_agent) as user_agent values(host) as host values(user) as user by src_ip domain _time
20
21| where errors > 100 AND unique_urls > 50
22
23| eval firstTime=_time, lastTime=_time
24
25| `security_content_ctime(firstTime)`
26
27| `security_content_ctime(lastTime)`
28
29| `cisco_sa___automated_web_reconnaissance_via_http_access_errors_filter`

Data Source

Name Platform Sourcetype Source
Cisco Secure Access Proxy Other 'cisco:cloud_security:proxy' 'cisco_cloud_security_addon'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
cisco_sa___automated_web_reconnaissance_via_http_access_errors_filter search *
cisco_sa___automated_web_reconnaissance_via_http_access_errors_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1595 Active Scanning Reconnaissance
Reconnaissance
DE.AE
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) No
Creates Intermediate Finding (Risk Event) Yes
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.

Implementation

Ingest Cisco Secure Access proxy logs into Splunk using the Splunk Add-on for Cisco Security Cloud. Update the cisco_secure_access_proxy macro so it resolves to the index, source, and sourcetype values used in your deployment.

Known False Positives

Aggressive web vulnerability scanners, QA automation, uptime monitoring, and authorized security assessments can generate high HTTP error volumes with large URL diversity. Tune by allow-listing known scanner hosts, user agents, test domains, and approved assessment windows using the filter macro.

Associated Analytic Story

Intermediate Findings

Message Entity Field Entity Type Risk Score
Source $src_ip$ triggered probable automated web reconnaissance on $domain$ with $errors$ HTTP access errors across $unique_urls$ unique URLs. user user 20

Threat Objects

Field Type
src_ip ip_address
domain domain

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset cisco_cloud_security_addon cisco:cloud_security:proxy
Integration ✅ Passing Dataset cisco_cloud_security_addon cisco:cloud_security:proxy

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2