Which SIEM platforms have a CVE-2024-27199 detection rule?

df00tech provides CVE-2024-27199 (JetBrains TeamCity Relative Path Traversal (CVE-2024-27199)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect JetBrains TeamCity Relative Path Traversal (CVE-2024-27199) (CVE-2024-27199)?

Detecting JetBrains TeamCity Relative Path Traversal (CVE-2024-27199) requires the following data sources: W3CIISLog, CommonSecurityLog, AzureDiagnostics.

What severity and confidence is the CVE-2024-27199 detection?

The CVE-2024-27199 detection is rated high severity with high confidence.

What are common false positives for CVE-2024-27199?

Common false positives for CVE-2024-27199 include: Security scanners (Qualys, Nessus, Rapid7 InsightVM) performing authenticated web application scans; Penetration testers performing authorized assessments against TeamCity instances; Broken link crawlers or SEO tools that may follow malformed URLs.

CVE-2024-27199 Detection: JetBrains TeamCity Relative Path Traversal (CVE-2024-27199) (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

union isfuzzy=true
(
  AzureDiagnostics
  | where Category == "ApplicationGatewayAccessLog"
  | where requestUri_s matches regex @"(?i)/res/[^?]*(?:%2e%2e|\.\.)[^?]*/(?:admin|config|WEB-INF)"
  | project TimeGenerated, requestUri_s, clientIP_s, httpStatus_d, host_s, userAgent_s
),
(
  W3CIISLog
  | where csUriStem matches regex @"(?i)(?:/res/|/update/|/icons/)(?:[^/]*(?:%2e%2e|\.\.)[^/]*/)+"
  | project TimeGenerated, csUriStem, cIP, scStatus, csHost, csUserAgent
),
(
  CommonSecurityLog
  | where DeviceVendor in ("F5", "Palo Alto Networks", "Fortinet", "Cisco")
  | where RequestURL matches regex @"(?i)(?:/res/|/update/).*(?:%2e%2e|%252e%252e|\.\.).*(?:/admin|/config|WEB-INF|server\.xml)"
  | project TimeGenerated, RequestURL, SourceIP, EventOutcome, DestinationHostName, RequestClientApplication
)
| where TimeGenerated > ago(24h)
| extend DecodedPath = replace_string(replace_string(coalesce(requestUri_s, csUriStem, RequestURL), "%2e", "."), "%252e", ".")
| where DecodedPath matches regex @"(?i)(?:\.\./){1,}(?:admin|WEB-INF|conf|config|internal)"
| summarize RequestCount=count(), UniqueEndpoints=dcount(coalesce(requestUri_s, csUriStem, RequestURL)) by SourceIP=coalesce(clientIP_s, cIP, SourceIP), bin(TimeGenerated, 5m)
| where RequestCount >= 3
| extend RiskScore = case(RequestCount >= 20, "Critical", RequestCount >= 10, "High", "Medium")
| project TimeGenerated, SourceIP, RequestCount, UniqueEndpoints, RiskScore

Detects HTTP requests to JetBrains TeamCity containing path traversal sequences targeting restricted paths. Monitors IIS logs, WAF logs, and Azure Application Gateway logs for encoded and double-encoded dot-dot sequences in TeamCity URL patterns.

high severity high confidence

Data Sources

W3CIISLog CommonSecurityLog AzureDiagnostics

Required Tables

W3CIISLog CommonSecurityLog AzureDiagnostics

False Positives

Security scanners (Qualys, Nessus, Rapid7 InsightVM) performing authenticated web application scans
Penetration testers performing authorized assessments against TeamCity instances
Broken link crawlers or SEO tools that may follow malformed URLs
Misconfigured reverse proxies that rewrite or corrupt path segments before forwarding

Splunk

spl

index=web OR index=proxy OR index=waf sourcetype IN ("iis", "apache:access", "nginx:plus:kv", "pan:traffic", "f5:bigip:ltm:access")
| rex field=uri_path "(?i)(?<traversal_raw>(?:%2e%2e|%252e%252e|\.\.)(?:%2f|%252f|/))"
| rex field=cs_uri_stem "(?i)(?<traversal_raw2>(?:%2e%2e|%252e%252e|\.\.)(?:%2f|%252f|/))"
| eval has_traversal=if(isnotnull(traversal_raw) OR isnotnull(traversal_raw2), 1, 0)
| where has_traversal=1
| eval full_path=coalesce(uri_path, cs_uri_stem, url, c_uri)
| where match(full_path, "(?i)/(?:res|update|icons|plugins)/")
| eval decoded_path=replace(replace(replace(full_path, "%252e", "."), "%2e", "."), "%2f", "/")
| where match(decoded_path, "(?i)(?:\.\./)+(?:WEB-INF|admin|config|internal|server\.xml|web\.xml)")
| stats count AS request_count, dc(full_path) AS unique_paths, values(full_path) AS paths, values(status) AS response_codes BY src_ip, dest_host, _time span=5m
| where request_count >= 3
| eval severity=case(request_count >= 20, "critical", request_count >= 10, "high", 1==1, "medium")
| table _time, src_ip, dest_host, request_count, unique_paths, paths, response_codes, severity
| sort -request_count

Detects path traversal exploitation attempts against JetBrains TeamCity by analyzing web access logs for encoded dot-dot sequences targeting TeamCity-specific URL prefixes. Aggregates by source IP over 5-minute windows to identify scanning behavior.

high severity high confidence

Data Sources

Web proxy logs IIS access logs WAF logs Nginx logs

Required Sourcetypes

iis apache:access nginx:plus:kv pan:traffic f5:bigip:ltm:access

False Positives

Authenticated vulnerability scanners (Qualys, Tenable) running web application scans against TeamCity
Authorized red team operations with approved scope covering the TeamCity URL space
Misconfigured load balancers that mangle URL-encoded characters during proxy forwarding
Development/staging environments where teams test path handling without production hardening

Elastic Security (EQL)

eql

sequence by source.ip with maxspan=5m
  [network where event.category == "network" and
   http.request.method in ("GET", "POST") and
   (
     wildcard(url.path, "*/res/*../*") or
     wildcard(url.path, "*/update/*../*") or
     wildcard(url.path, "*/icons/*../*") or
     url.path like~ "*%2e%2e*" or
     url.path like~ "*%252e%252e*"
   ) and
   (
     url.path like~ "*/WEB-INF*" or
     url.path like~ "*/admin*" or
     url.path like~ "*/config*" or
     url.path like~ "*server.xml*" or
     url.path like~ "*web.xml*"
   )
  ] with runs=3

Uses EQL sequence detection to identify repeated path traversal attempts from the same source IP against JetBrains TeamCity within a 5-minute window, reducing noise from single accidental requests.

high severity medium confidence

Data Sources

Elastic APM Filebeat web module Packetbeat

Required Tables

logs-* filebeat-* packetbeat-*

False Positives

Automated security scanning tools performing scheduled web application assessments
Browser extensions or developer tools that construct malformed URLs during testing
Misconfigured applications that prepend relative paths when constructing TeamCity API calls
URL normalization bugs in upstream proxies that introduce traversal sequences

IBM QRadar (AQL)

sql

SELECT
  sourceip,
  destinationip,
  URL,
  "HTTP Response Code" AS http_status,
  "User Agent" AS user_agent,
  COUNT(*) AS request_count,
  MIN(starttime) AS first_seen,
  MAX(starttime) AS last_seen
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('IBM Security Network IPS (GV)', 'Apache HTTP Server', 'Microsoft IIS', 'Nginx')
  AND (
    LOWER(URL) MATCHES '.*(?:/res/|/update/|/icons/).*(?:%2e%2e|%252e%252e|\\.\\./).*'
    OR LOWER(URL) MATCHES '.*(web-inf|server\\.xml|web\\.xml|/admin/|/config/).*'
  )
  AND (
    LOWER(URL) MATCHES '.*(%2e%2e|%252e).*'
    OR LOWER(URL) MATCHES '.*(\\.\\./){1,}.*'
  )
  AND LOGSOURCENAME(logsourceid) ILIKE '%teamcity%'
  AND starttime > NOW() - 86400000
GROUP BY sourceip, destinationip, URL, http_status, user_agent
HAVING COUNT(*) >= 3
ORDER BY request_count DESC
LAST 24 HOURS

QRadar AQL query identifying path traversal patterns in HTTP logs from TeamCity servers. Groups by source IP and URL to surface repeated exploitation attempts and unusual response codes indicating successful traversal.

high severity medium confidence

Data Sources

Microsoft IIS log source Apache HTTP log source Nginx log source Network IPS events

Required Tables

events

False Positives

Network vulnerability scanners (Qualys, Rapid7) performing scheduled web scans
Penetration testing engagements with scoped coverage of TeamCity web interface
Misconfigured upstream HTTP proxies that alter URL encoding before logging
Custom TeamCity plugins that construct API URLs with relative path components

Sumo Logic CSE

sql

_sourceCategory=web/access OR _sourceCategory=proxy/logs OR _sourceCategory=waf
| parse regex "(?<src_ip>\\d+\\.\\d+\\.\\d+\\.\\d+).*?(?:GET|POST|PUT)\\s+(?<request_path>[^\\s]+)"
| where request_path matches /(?i)\/(?:res|update|icons|plugins)\//
| where request_path matches /(?i)(?:%2e%2e|%252e%252e|\.\.\/)/
| where request_path matches /(?i)(?:WEB-INF|web\.xml|server\.xml|\/admin\/|\/config\/|internal)/
| urldecode(request_path) as decoded_path
| timeslice 5m
| stats count as request_count, dcount(request_path) as unique_paths by src_ip, _timeslice
| where request_count >= 3
| fields _timeslice, src_ip, request_count, unique_paths
| sort by request_count desc

Sumo Logic query detecting TeamCity path traversal exploitation by parsing web access logs for encoded traversal sequences targeting restricted server paths. Aggregates over 5-minute windows per source IP.

high severity medium confidence

Data Sources

Web server access logs Proxy logs WAF logs

Required Tables

_sourceCategory=web/access _sourceCategory=proxy/logs

False Positives

Authorized web application penetration tests against TeamCity infrastructure
Security scanning platforms (Tenable, Qualys) with web application scanning enabled
Misconfigured load balancers introducing URL encoding artifacts in forwarded headers
TeamCity plugin developers testing path resolution logic in development environments

Google Chronicle / SecOps

yaral

rule cve_2024_27199_teamcity_path_traversal {
  meta:
    author = "df00tech"
    description = "Detects CVE-2024-27199 JetBrains TeamCity relative path traversal exploitation"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2024-27199"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.network.http.method = /GET|POST/
    $e.network.http.request_url = /(?i)\/(?:res|update|icons|plugins)\//
    (
      $e.network.http.request_url = /(?i)%2e%2e/ or
      $e.network.http.request_url = /(?i)%252e%252e/ or
      $e.network.http.request_url = /\.\.\//
    )
    (
      $e.network.http.request_url = /(?i)WEB-INF/ or
      $e.network.http.request_url = /(?i)server\.xml/ or
      $e.network.http.request_url = /(?i)\/admin\// or
      $e.network.http.request_url = /(?i)\/config\//
    )
    $ip = $e.principal.ip

  match:
    $ip over 5m

  condition:
    #e >= 3
}

Chronicle YARA-L rule detecting repeated CVE-2024-27199 path traversal attempts against JetBrains TeamCity. Triggers when the same source IP makes 3 or more requests containing traversal patterns to TeamCity-specific URL paths within 5 minutes.

high severity high confidence

Data Sources

Chronicle UDM HTTP events Web proxy ingestion feeds

Required Tables

network_http UDM events

False Positives

Authorized penetration testing with scoped targets including TeamCity web server
Automated vulnerability assessment platforms running web application checks
Misconfigured reverse proxies that rewrite or encode URL path segments
TeamCity health check endpoints that inadvertently match traversal patterns

CrowdStrike LogScale (CQL)

cql

#event_simpleName=NetworkReceiveAccepted OR #event_simpleName=HttpRequest
| LocalPort = 8111 OR LocalPort = 443 OR LocalPort = 80
| HttpPath = /(?i)\/(?:res|update|icons|plugins)\//
| HttpPath = /(?i)(?:%2e%2e|%252e%252e|\.\.\/)/
| HttpPath = /(?i)(?:WEB-INF|web\.xml|server\.xml|\/admin\/|\/config\/)/
| stats count() as request_count by RemoteAddressIP4, HttpPath, bin(timestamp, 5min)
| where request_count >= 3
| sort request_count desc
| rename RemoteAddressIP4 as attacker_ip, HttpPath as traversal_path

CrowdStrike Falcon LogScale query detecting CVE-2024-27199 exploitation via network events on TeamCity default ports. Identifies repeated path traversal requests containing encoded dot-dot sequences targeting sensitive server paths.

high severity medium confidence

Data Sources

CrowdStrike Falcon network telemetry Falcon sensor HTTP events

Required Tables

NetworkReceiveAccepted HttpRequest

False Positives

CrowdStrike-protected hosts running authorized vulnerability scans against TeamCity
Red team operations with approved scope on TeamCity server endpoints
Misconfigured applications making API calls with relative path segments to TeamCity
Load balancer health probes that traverse URL paths during endpoint validation

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2024-27199 JetBrains TeamCity Relative Path Traversal (CVE-2024-27199)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2024-27199

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox