[metadata] creation_date = "2023/07/12" integration = ["apm"] maturity = "deprecated" updated_date = "2025/03/04" deprecation_date = "2025/03/04" [rule] author = ["Elastic"] building_block_type = "default" description = """ Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts. """ from = "now-119m" index = ["apm-*-transaction*", "traces-apm*"] interval = "60m" language = "eql" license = "Elastic License v2" name = "Potential Cross Site Scripting (XSS)" references = ["https://github.com/payloadbox/xss-payload-list"] risk_score = 21 rule_id = "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c" severity = "low" tags = ["Data Source: APM", "Use Case: Threat Detection", "Tactic: Initial Access","Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" query = ''' any where processor.name == "transaction" and url.fragment : ("<iframe*", "*prompt(*)*", "<script*>", "<svg*>", "*onerror=*", "*javascript*alert*", "*eval*(*)*", "*onclick=*", "*alert(document.cookie)*", "*alert(document.domain)*","*onresize=*","*onload=*","*onmouseover=*") ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1189" name = "Drive-by Compromise" reference = "https://attack.mitre.org/techniques/T1189/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/"