High-frequency, repetitive service requests (e.g., HTTP, TLS renegotiation) originating from a single or small set of source IPs targeting endpoint web services or application ports, leading to exhaustion of CPU or memory on targeted Windows services.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | WinEventLog:Application | Unexpected spikes in request volume, application-level errors, or thread pool exhaustion in web or API logs |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Host Status (DC0018) | Windows:perfmon | Sustained CPU/memory exhaustion by service process (e.g., w3wp.exe) |
| Field | Description |
|---|---|
| TimeWindow | Defines burst threshold (e.g., 1 min, 5 min) for connection spikes |
| TargetServicePort | Specific ports/services likely to be abused (e.g., 80, 443, 8080) |
| CPUThreshold | Level of sustained CPU usage considered anomalous for a given service |
Excessive inbound HTTP or TLS connections to services such as Apache or Nginx, causing worker thread exhaustion or segmentation faults.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | auditd:SYSCALL | High frequency of accept(), read(), or SSL_read() syscalls tied to nginx/apache processes |
| Network Traffic Flow (DC0078) | NSM:Flow | Sudden spike in incoming flows to web service ports from single/multiple IPs |
| Application Log Content (DC0038) | linux:syslog | Repetitive HTTP 408, 500, or 503 errors logged within short timeframe |
| Field | Description |
|---|---|
| ErrorCodeWindow | Tunable count of specific HTTP error codes in timeframe |
| ConnectionRateThreshold | Defines number of connections per second considered anomalous |
Flood of incoming TLS or HTTP(S) connections to macOS-hosted services (e.g., MAMP, Apache), causing high CPU usage and system unresponsiveness.
| Data Component | Name | Channel |
|---|---|---|
| Host Status (DC0018) | macos:unifiedlog | Web service process (e.g., httpd) entering crash loop or consuming excessive CPU |
| Network Traffic Content (DC0085) | macos:unifiedlog | Rapid incoming TLS handshakes or HTTP requests in quick succession |
| Field | Description |
|---|---|
| TLSHandshakeRate | Number of renegotiations per minute considered suspicious |
| ServiceCrashFrequency | Threshold of crashes before alerting on instability |
Automated or scripted HTTP/TLS flooding from one VM or cloud instance against another service, exploiting compute-based billing or exhaustion of service infrastructure.
| Data Component | Name | Channel |
|---|---|---|
| Firewall Rule Modification (DC0051) | AWS:CloudTrail | AuthorizeSecurityGroupIngress |
| Network Traffic Flow (DC0078) | AWS:VPCFlowLogs | Unusual volume of inbound packets from single source across short time interval |
| Host Status (DC0018) | AWS:CloudWatch | Sustained spike in CPU usage on EC2 instance with web service role |
| Field | Description |
|---|---|
| VPCFlowBurstRate | Threshold for traffic burst on target service port |
| EC2CPUThreshold | Compute saturation level for alerting (e.g., >90% for 3 minutes) |