Web Server Access

The public Web is an interface between a company and the outside world and is continuously under the threat of attack.

Web Server Access logs are a record of HTTP requests made by clients to a web server. For instance a website, a web-based service, or an API.

You may use Web Server Access logs to:

• Identify dictionary/brute force attempts against directories and files by looking for multiple 404s from a single address.
• Identify exfiltration of data staged within a webroot.
• Identify web scanners looking for common vulnerable web applications (such as Drupal, WordPress, Apache Tomcat, and Struts).
• Identify exchange vulnerabilities: an increase in automated exploits where threat actors gain a foothold in a network and return days, weeks, or months later.
• Actively collect web server logs in real-time so that if attackers delete them, you’ll have access to the evidence and forensics artifacts necessary for investigation.

You can configure the following Web Server Access event sources in InsightIDR:

• Microsoft IIS