Update detections/network/cisco_sa___automated_web_reconnaissance_via_http_access_errors.yml

patel-bhavin · nasbench · web-flow · commit 7f415f985d50 · 2026-06-04T17:48:01.000+05:30
Co-authored-by: Nasreddine Bencherchali &lt;nasreddineb@splunk.com&gt;
diff --git a/detections/network/cisco_sa___automated_web_reconnaissance_via_http_access_errors.yml b/detections/network/cisco_sa___automated_web_reconnaissance_via_http_access_errors.yml
@@ -10,7 +10,6 @@ description: |
     This analytic detects probable automated web reconnaissance using Cisco Secure Access proxy telemetry.
     A high volume of HTTP client errors (401/403/404) across many unique URLs in a short window is consistent with directory/file enumeration behavior generated by tools such as Gobuster, DirBuster, ffuf, or Burp Intruder.
     Detecting this pattern helps identify pre-exploitation scanning activity, insider reconnaissance, compromised endpoints performing discovery, and attempts to find hidden administrative paths, APIs, backups, and exposed application files.
-    Activity is mapped to MITRE ATT&CK T1595 (Active Scanning).
 data_source:
     - Cisco Secure Access Proxy
 search: |-
