Potential Cross Site Scripting (XSS)

Warning

This rule has been deprecated as of 2025/03/04.

Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts.

Rule type: eql
Rule indices:

apm--transaction
traces-apm*

Rule Severity: low
Risk Score: 21
Runs every: 60m
Searches indices from: now-119m
Maximum alerts per execution: 100
References:

https://github.com/payloadbox/xss-payload-list

Tags:

Data Source: APM
Use Case: Threat Detection
Tactic: Initial Access
Rule Type: BBR

Version: 2
Rule authors:

Elastic

Rule license: Elastic License v2

Rule Query

		any where processor.name == "transaction" and
url.fragment : ("<iframe*", "*prompt(*)*", "<script*>", "<svg*>", "*onerror=*", "*javascript*alert*", "*eval*(*)*", "*onclick=*",
"*alert(document.cookie)*", "*alert(document.domain)*","*onresize=*","*onload=*","*onmouseover=*")
		
	

Framework: MITRE ATT&CK

Tactic:
- Name: Initial Access
- Id: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Drive-by Compromise
- Id: T1189
- Reference URL: https://attack.mitre.org/techniques/T1189/