[metadata]
creation_date = "2023/11/15"

[rule]
author = ["Terguttac"]
description = "Detects Nmap and Nikto User Agent strings"
from = "now-6m" # This is the default value. Change as needed.
name = "Web Scanner Activity - Nmap and Nikto"
risk_score = 35
severity = "low"
rule_id = "00000000-0000-0000-000000000003"
type = "query"

query = '''
event.dataset: zeek.http and user_agent.original: *Nmap* or user_agent.original: *Nikto*
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1046"
name = "Network Service Discovery"
reference = "https://attack.mitre.org/techniques/T1046/"

[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"