T1499.002

Service Exhaustion Flood

Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services through service exhaustion floods. A simple HTTP flood sends a large number of HTTP requests to a web server to overwhelm it and/or an application running on top of it, exhausting various resources required to provide the service. A SSL renegotiation attack takes advantage of a protocol feature in SSL/TLS where the adversary establishes a connection and then proceeds to make a series of renegotiation requests, exploiting the meaningful computational cost of cryptographic renegotiation to degrade or deny service when performed at volume. Both attack types target service availability without requiring exploitation of a software vulnerability.

Microsoft Sentinel / Defender

kusto

// T1499.002 — Service Exhaustion Flood: Multi-source detection
// Branch 1: IIS HTTP flood — high request volume from single source in 5-minute windows
let FloodWindow = 5m;
let RequestFloodThreshold = 500;
let ErrorFloodThreshold = 100;
let IISFlood =
    W3CIISLog
    | where TimeGenerated > ago(1h)
    | summarize
        TotalRequests = count(),
        UniqueURIs = dcount(csUriStem),
        Status5xx = countif(scStatus >= 500),
        Status429 = countif(scStatus == 429),
        DistinctUserAgents = dcount(csUserAgent),
        TotalBytesSent = sum(scBytes)
      by SourceIP = cIP, TargetSite = sSiteName, TimeBin = bin(TimeGenerated, FloodWindow)
    | where TotalRequests > RequestFloodThreshold or Status5xx > ErrorFloodThreshold
    | extend RequestsPerSecond = round(toreal(TotalRequests) / 300, 2)
    | extend FloodType = case(
        UniqueURIs == 1 and TotalRequests > RequestFloodThreshold, "Single-Resource HTTP Flood",
        DistinctUserAgents == 1 and TotalRequests > 1000, "Simple HTTP Flood",
        Status5xx > ErrorFloodThreshold, "Service Degradation via HTTP Flood",
        "HTTP Request Flood"
      )
    | extend DetectionSource = "IIS_Log"
    | project TimeBin, SourceIP, TargetSite, TotalRequests, RequestsPerSecond,
              UniqueURIs, Status5xx, Status429, DistinctUserAgents, FloodType, DetectionSource;
// Branch 2: Azure Application Gateway WAF — flood/DoS rule triggers
let WAFFlood =
    AzureDiagnostics
    | where TimeGenerated > ago(1h)
    | where ResourceType == "APPLICATIONGATEWAYS"
    | where Category == "ApplicationGatewayFirewallLog"
    | where Message has_any ("flood", "DoS", "renegotiation", "connection limit", "rate limit", "SSL flood")
          or ruleGroup_s has_any ("DoS", "RCE", "HTTP")
    | summarize
        BlockedRequests = count(),
        UniqueRules = dcount(ruleId_s),
        UniqueTargetURIs = dcount(requestUri_s)
      by SourceIP = clientIp_s, TargetSite = hostname_s, TimeBin = bin(TimeGenerated, FloodWindow)
    | where BlockedRequests > 50
    | extend FloodType = "WAF_Blocked_Flood"
    | extend DetectionSource = "Azure_AppGateway_WAF"
    | project TimeBin, SourceIP, TargetSite, TotalRequests = BlockedRequests,
              RequestsPerSecond = round(toreal(BlockedRequests) / 300, 2),
              UniqueURIs = UniqueRules, Status5xx = BlockedRequests, Status429 = 0,
              DistinctUserAgents = 0, FloodType, DetectionSource;
// Branch 3: CommonSecurityLog — firewall/IDS flood and SSL renegotiation alerts (Palo Alto, Fortinet, CheckPoint)
let NetworkFlood =
    CommonSecurityLog
    | where TimeGenerated > ago(1h)
    | where Activity has_any ("flood", "DoS", "denial of service", "SSL renegotiation", "connection exhaustion", "HTTP flood", "SYN flood")
          or DeviceEventClassID has_any ("flood", "dos", "renegotiation", "conn-limit")
    | summarize
        AlertCount = count(),
        UniqueDestPorts = dcount(DestinationPort),
        AffectedTargets = dcount(DestinationIP)
      by SourceIP, DestinationIP, DeviceProduct, Activity, TimeBin = bin(TimeGenerated, FloodWindow)
    | extend FloodType = strcat("Network_Alert: ", Activity)
    | extend DetectionSource = DeviceProduct
    | project TimeBin, SourceIP, TargetSite = DestinationIP, TotalRequests = AlertCount,
              RequestsPerSecond = toreal(0), UniqueURIs = UniqueDestPorts, Status5xx = 0,
              Status429 = 0, DistinctUserAgents = 0, FloodType, DetectionSource;
// Union all detection branches
union isfuzzy=true IISFlood, WAFFlood, NetworkFlood
| sort by TotalRequests desc

high severity medium confidence

Data Sources

Network: Network Traffic Application Log: Application Log Content W3CIISLog (IIS Web Server Logs) AzureDiagnostics (Azure Application Gateway / WAF) CommonSecurityLog (Firewall/IDS CEF)

Required Tables

W3CIISLog AzureDiagnostics CommonSecurityLog

False Positives

Legitimate high-traffic events such as product launches, viral marketing campaigns, or news coverage driving genuine traffic spikes from many distributed users
Web scraping bots, SEO crawlers, and content aggregators that rapidly enumerate site content and generate high request volumes from single IP ranges
Load testing tools (Apache Bench, k6, Locust, JMeter, Gatling) used by development and QA teams against production or staging environments without prior notification
CDN edge nodes, reverse proxies, or shared NAT gateways that aggregate traffic from many legitimate users behind a single source IP, inflating per-IP counts
Automated monitoring, synthetic transaction tools, and health check agents that poll endpoints at high frequency

Splunk

spl

| multisearch
    [ search index=web sourcetype=iis
      | eval _src_ip=c_ip, _target=cs_host, _uri=cs_uri_stem,
             _status=sc_status, _ua=cs_user_agent, _bytes=sc_bytes,
             _detection_source="IIS_Log" ]
    [ search index=web sourcetype="access_combined" OR sourcetype="access_log"
      | eval _src_ip=clientip, _target=host, _uri=uri,
             _status=status, _ua=useragent, _bytes=bytes,
             _detection_source="Apache_Access_Log" ]
| bin _time span=5m
| stats
    count                               as TotalRequests,
    dc(_uri)                            as UniqueURIs,
    count(eval(_status>=500))           as Status5xx,
    count(eval(_status==429))           as Status429,
    dc(_ua)                             as DistinctUserAgents,
    sum(_bytes)                         as TotalBytesSent,
    values(_detection_source)           as DetectionSource
  by _time, _src_ip, _target
| where TotalRequests > 500 OR Status5xx > 100
| eval RequestsPerSecond=round(TotalRequests / 300, 2)
| eval FloodType=case(
    UniqueURIs==1 AND TotalRequests>500,    "Single-Resource HTTP Flood",
    DistinctUserAgents==1 AND TotalRequests>1000, "Simple HTTP Flood",
    Status5xx>100,                          "Service Degradation via HTTP Flood",
    true(),                                 "HTTP Request Flood"
  )
| eval Severity=case(
    TotalRequests > 2000 OR Status5xx > 500, "High",
    TotalRequests > 1000 OR Status5xx > 200, "Medium",
    true(),                                  "Low"
  )
| table _time, _src_ip, _target, TotalRequests, RequestsPerSecond, UniqueURIs,
        Status5xx, Status429, DistinctUserAgents, FloodType, Severity, DetectionSource
| sort - TotalRequests

| appendcols
    [ search index=network sourcetype="pan:traffic" OR sourcetype="cisco:asa" OR sourcetype="fortinet"
      (severity=high OR severity=critical)
      ("flood" OR "dos" OR "denial" OR "renegotiation" OR "connection-limit" OR "http-flood" OR "ssl-renegotiation")
    | bin _time span=5m
    | stats count as AlertCount, dc(dest_port) as UniquePorts, dc(dest_ip) as AffectedTargets
      by _time, src_ip, dest_ip, signature, sourcetype
    | where AlertCount > 5
    | eval FloodType=mvappend("Network_Alert: " . signature)
    | eval Severity="High"
    | rename src_ip as _src_ip, dest_ip as _target, sourcetype as DetectionSource
    | eval TotalRequests=AlertCount, RequestsPerSecond=0, UniqueURIs=UniquePorts,
           Status5xx=AlertCount, Status429=0, DistinctUserAgents=0
    | table _time, _src_ip, _target, TotalRequests, RequestsPerSecond, UniqueURIs,
            Status5xx, Status429, DistinctUserAgents, FloodType, Severity, DetectionSource ]

high severity medium confidence

Data Sources

Network: Network Traffic Application Log: Application Log Content IIS Web Server Logs Apache/Nginx Access Logs Palo Alto / Cisco ASA / Fortinet Network Logs

Required Sourcetypes

iis access_combined pan:traffic

False Positives

Legitimate high-traffic events such as product launches, viral marketing campaigns, or news coverage driving genuine traffic spikes from many distributed users
Web scraping bots, SEO crawlers, and content aggregators that rapidly enumerate site content and generate high request volumes from single IP ranges
Load testing tools (Apache Bench, k6, Locust, JMeter, Gatling) used by development and QA teams against production or staging environments without prior notification
CDN edge nodes, reverse proxies, or shared NAT gateways that aggregate traffic from many legitimate users behind a single source IP, inflating per-IP counts
Automated monitoring and synthetic transaction tools that poll endpoints at high frequency

Elastic Security (EQL)

eql

// Branch 1: HTTP access log flood detection — high volume from single source
// Run as a threshold rule over 5-minute windows
sequence by source.ip with maxspan=5m
  [network where event.dataset == "apache.access" or event.dataset == "nginx.access" or event.dataset == "iis.access"
   | keep source.ip, url.path, http.response.status_code, http.response.bytes, user_agent.original, destination.domain]

// NOTE: For threshold-based detection, use the following aggregation query via Elasticsearch API:
// POST /_eql/search with threshold rules, or use the SIEM rule type 'threshold'
// Equivalent aggregation logic:
from logs-*
| where event.dataset in ("apache.access", "nginx.access", "iis.access", "aws.elb_logs")
| where @timestamp > now() - 5m
| stats
    total_requests = count(),
    unique_uris = count_distinct(url.path),
    status_5xx = count(http.response.status_code >= 500),
    status_429 = count(http.response.status_code == 429),
    distinct_user_agents = count_distinct(user_agent.original),
    total_bytes = sum(http.response.bytes)
  by source.ip, destination.domain, bucket(@timestamp, "5 minutes")
| where total_requests > 500 or status_5xx > 100
| eval requests_per_second = round(total_requests / 300, 2)
| eval flood_type = case(
    unique_uris == 1 and total_requests > 500, "Single-Resource HTTP Flood",
    distinct_user_agents == 1 and total_requests > 1000, "Simple HTTP Flood",
    status_5xx > 100, "Service Degradation via HTTP Flood",
    "HTTP Request Flood"
  )
| eval severity = case(
    total_requests > 2000 or status_5xx > 500, "critical",
    total_requests > 1000 or status_5xx > 200, "high",
    "medium"
  )
| sort total_requests desc

high severity medium confidence

Data Sources

Apache HTTP Server access logs (logs-apache.access-*) Nginx access logs (logs-nginx.access-*) IIS access logs (logs-iis.access-*) AWS ELB access logs (logs-aws.elb_logs-*) Palo Alto Networks firewall logs (logs-panw.panos-*) Network packet capture / flow data (logs-network_traffic.*)

Required Tables

logs-apache.access-* logs-nginx.access-* logs-iis.access-* logs-aws.elb_logs-* logs-panw.panos-*

False Positives

Legitimate high-traffic web applications or content delivery events such as a viral post or marketing campaign driving thousands of real users to a single URL in a short window — correlate with marketing calendar and CDN traffic baseline.
Automated legitimate traffic sources such as web crawlers (Googlebot, Bingbot), uptime monitoring probes (Pingdom, DataDog Synthetics), or CI/CD pipeline health checks that issue many requests from a single IP against a single endpoint.
Load testing and performance benchmarking tools (Apache JMeter, Locust, k6, Gatling) executed against production or staging environments by internal teams — validate against change management tickets and notify-on-test procedures.
SSL/TLS certificate validation services and OCSP stapling responders that establish many short-lived connections, potentially triggering SSL renegotiation thresholds.
Misconfigured API clients or SDK bugs causing retry storms — a single application server sending thousands of identical requests due to an infinite retry loop without backoff.

IBM QRadar (AQL)

sql

// Branch 1: HTTP flood detection from web access logs
SELECT
    DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm') AS time_bucket,
    sourceip AS source_ip,
    LONG(destinationip) AS destination_ip,
    'HTTP_Access_Log' AS detection_source,
    COUNT(*) AS total_requests,
    COUNT(DISTINCT "URL") AS unique_uris,
    SUM(CASE WHEN LONG("HTTP Response Code") >= 500 THEN 1 ELSE 0 END) AS status_5xx,
    SUM(CASE WHEN LONG("HTTP Response Code") = 429 THEN 1 ELSE 0 END) AS status_429,
    COUNT(DISTINCT "User Agent") AS distinct_user_agents,
    ROUND(COUNT(*) / 300.0, 2) AS requests_per_second,
    CASE
        WHEN COUNT(DISTINCT "URL") = 1 AND COUNT(*) > 500 THEN 'Single-Resource HTTP Flood'
        WHEN COUNT(DISTINCT "User Agent") = 1 AND COUNT(*) > 1000 THEN 'Simple HTTP Flood'
        WHEN SUM(CASE WHEN LONG("HTTP Response Code") >= 500 THEN 1 ELSE 0 END) > 100 THEN 'Service Degradation via HTTP Flood'
        ELSE 'HTTP Request Flood'
    END AS flood_type,
    CASE
        WHEN COUNT(*) > 2000 OR SUM(CASE WHEN LONG("HTTP Response Code") >= 500 THEN 1 ELSE 0 END) > 500 THEN 'High'
        WHEN COUNT(*) > 1000 OR SUM(CASE WHEN LONG("HTTP Response Code") >= 500 THEN 1 ELSE 0 END) > 200 THEN 'Medium'
        ELSE 'Low'
    END AS severity
FROM events
WHERE
    starttime > NOW() - 3600000
    AND LOGSOURCETYPEID IN (
        SELECT id FROM SYS_LOGSOURCETYPE
        WHERE name IN ('Apache HTTP Server', 'Microsoft IIS', 'nginx', 'AWS Application Load Balancer')
    )
GROUP BY
    DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm'),
    sourceip,
    destinationip
HAVING
    COUNT(*) > 500 OR SUM(CASE WHEN LONG("HTTP Response Code") >= 500 THEN 1 ELSE 0 END) > 100
ORDER BY total_requests DESC

UNION ALL

// Branch 2: Network/firewall flood alerts — Palo Alto, Fortinet, Check Point
SELECT
    DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm') AS time_bucket,
    sourceip AS source_ip,
    LONG(destinationip) AS destination_ip,
    LOGSOURCENAME(logsourceid) AS detection_source,
    COUNT(*) AS total_requests,
    COUNT(DISTINCT destinationport) AS unique_uris,
    COUNT(*) AS status_5xx,
    0 AS status_429,
    0 AS distinct_user_agents,
    0.0 AS requests_per_second,
    CONCAT('Network_Alert: ', QIDNAME(qid)) AS flood_type,
    'High' AS severity
FROM events
WHERE
    starttime > NOW() - 3600000
    AND (
        LOWER(QIDNAME(qid)) LIKE '%flood%'
        OR LOWER(QIDNAME(qid)) LIKE '%denial%'
        OR LOWER(QIDNAME(qid)) LIKE '%dos%'
        OR LOWER(QIDNAME(qid)) LIKE '%renegotiation%'
        OR LOWER(QIDNAME(qid)) LIKE '%ssl%flood%'
        OR LOWER(QIDNAME(qid)) LIKE '%connection%limit%'
        OR LOWER(QIDNAME(qid)) LIKE '%rate%limit%'
    )
    AND severity >= 7
    AND LOGSOURCETYPEID IN (
        SELECT id FROM SYS_LOGSOURCETYPE
        WHERE name IN ('Palo Alto PA Series', 'Fortinet FortiGate', 'Check Point FireWall-1', 'Cisco ASA')
    )
GROUP BY
    DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm'),
    sourceip,
    destinationip,
    logsourceid,
    qid
HAVING COUNT(*) > 5
ORDER BY total_requests DESC

high severity medium confidence

Data Sources

Apache HTTP Server log source (LOGSOURCETYPEID: Apache HTTP Server) Microsoft IIS log source (LOGSOURCETYPEID: Microsoft IIS) AWS Application Load Balancer log source Palo Alto PA Series firewall (LOGSOURCETYPEID: Palo Alto PA Series) Fortinet FortiGate (LOGSOURCETYPEID: Fortinet FortiGate) Check Point FireWall-1 (LOGSOURCETYPEID: Check Point FireWall-1) Cisco ASA (LOGSOURCETYPEID: Cisco ASA)

Required Tables

events

False Positives

High-traffic e-commerce or media sites during flash sales, product launches, or viral content events where a CDN edge node or reverse proxy IP appears as a single source IP generating floods of legitimate user traffic.
Security scanners and vulnerability assessment tools (Nessus, Qualys, Rapid7 InsightVM) executing web application scans that generate many requests across short intervals to test for vulnerabilities — correlate with scheduled scan windows.
Firewall or IDS rules that are overly broad and trigger on any high-volume connection, including legitimate internal services such as log shippers, metrics collectors, or backup systems that open many connections to a single destination.
CDN health checks and anycast routing probes from providers like Akamai, Cloudflare, or Fastly that send regular high-frequency probes from a small set of monitoring IPs to verify origin availability.

Sumo Logic CSE

sql

// Branch 1: HTTP access log flood detection
_sourceCategory=*/web/access OR _sourceCategory=*/iis OR _sourceCategory=*/apache OR _sourceCategory=*/nginx
| parse "* * * [*] \"* * *\" * *" as src_ip, ident, authuser, datetime, method, uri, protocol, status, bytes nodrop
| parse "* * [*] \"* * *\" * * * \"*\"" as src_ip, host, datetime, method, uri, protocol, status, bytes, referrer, useragent nodrop
| where isNum(status)
| timeslice 5m
| stats
    count as TotalRequests,
    count_distinct(uri) as UniqueURIs,
    count(if(tonumber(status) >= 500, 1, null)) as Status5xx,
    count(if(tonumber(status) == 429, 1, null)) as Status429,
    count_distinct(useragent) as DistinctUserAgents,
    sum(tonumber(bytes)) as TotalBytesSent
  by _timeslice, src_ip, host
| where TotalRequests > 500 or Status5xx > 100
| eval RequestsPerSecond = round(TotalRequests / 300, 2)
| eval FloodType = if(UniqueURIs == 1 and TotalRequests > 500, "Single-Resource HTTP Flood",
    if(DistinctUserAgents == 1 and TotalRequests > 1000, "Simple HTTP Flood",
    if(Status5xx > 100, "Service Degradation via HTTP Flood", "HTTP Request Flood")))
| eval Severity = if(TotalRequests > 2000 or Status5xx > 500, "Critical",
    if(TotalRequests > 1000 or Status5xx > 200, "High", "Medium"))
| eval MITRETechnique = "T1499.002"
| eval DetectionSource = "HTTP_Access_Log"
| fields _timeslice, src_ip, host, TotalRequests, RequestsPerSecond, UniqueURIs, Status5xx, Status429, DistinctUserAgents, FloodType, Severity, MITRETechnique, DetectionSource
| sort by TotalRequests desc

// Branch 2: Network/firewall flood alert detection
// Run separately and correlate results
_sourceCategory=*/firewall OR _sourceCategory=*/paloalto OR _sourceCategory=*/fortinet OR _sourceCategory=*/cisco/asa
| where severity = "high" or severity = "critical"
| where (%"msg" matches /(?i)(flood|dos|denial.of.service|renegotiation|connection.limit|http.flood|ssl.renegotiation|rate.limit)/
    or %"signature" matches /(?i)(flood|dos|denial|renegotiation|conn.limit)/)
| timeslice 5m
| stats
    count as AlertCount,
    count_distinct(dest_port) as UniquePorts,
    count_distinct(dest_ip) as AffectedTargets
  by _timeslice, src_ip, dest_ip, signature, _sourceCategory
| where AlertCount > 5
| eval FloodType = concat("Network_Alert: ", signature)
| eval Severity = "High"
| eval MITRETechnique = "T1499.002"
| eval DetectionSource = _sourceCategory
| fields _timeslice, src_ip, dest_ip, AlertCount, UniquePorts, AffectedTargets, FloodType, Severity, MITRETechnique, DetectionSource
| sort by AlertCount desc

high severity medium confidence

Data Sources

Apache HTTP Server access logs (_sourceCategory=*/apache) Nginx access logs (_sourceCategory=*/nginx) IIS access logs (_sourceCategory=*/iis) Palo Alto firewall logs (_sourceCategory=*/paloalto) Fortinet FortiGate logs (_sourceCategory=*/fortinet) Cisco ASA logs (_sourceCategory=*/cisco/asa)

Required Tables

Sumo Logic HTTP access log sources Sumo Logic network/firewall log sources

False Positives

Large-scale SEO crawlers or web archival bots (Archive.org, Common Crawl) that issue thousands of HTTP requests from a single IP or small IP range in a short period against a public-facing site.
Application performance monitoring tools or real-user monitoring agents deployed on the web server itself that forward synthetic transaction data in batches, creating burst traffic patterns.
Internal network address translation (NAT) gateways masking thousands of real users behind a single egress IP — especially common in enterprise environments — causing threshold breaches despite representing legitimate distributed user activity.
SSL certificate transparency log monitors and ACME challenge responders that initiate repeated TLS handshakes for certificate validation purposes, potentially matching SSL renegotiation signatures.

Google Chronicle / SecOps

yaral

rule t1499_002_service_exhaustion_flood_http {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1499.002 Service Exhaustion Flood: HTTP flood attacks characterized by high request volume from a single source IP against a web server over a 5-minute window. Covers single-resource floods, simple floods, and service degradation patterns."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1499.002"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"
    created = "2026-04-19"
    platforms = "Windows, Linux, GCP, AWS"

  events:
    // Web access log events — HTTP requests
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.principal.ip != ""
    $e.target.hostname != ""

    // Capture fields for aggregation
    $src_ip = $e.principal.ip
    $target_host = $e.target.hostname
    $status_code = $e.network.http.response_code
    $uri = $e.target.url

  match:
    $src_ip, $target_host over 5m

  outcome:
    $total_requests = count($e.metadata.id)
    $unique_uris = count_distinct($uri)
    $status_5xx_count = sum(if($status_code >= 500, 1, 0))
    $status_429_count = sum(if($status_code = 429, 1, 0))
    $requests_per_second = math.round(count($e.metadata.id) / 300.0, 2)
    $flood_type = if(
      count_distinct($uri) = 1 and count($e.metadata.id) > 500,
        "Single-Resource HTTP Flood",
      if(
        count($e.metadata.id) > 1000 and sum(if($status_code >= 500, 1, 0)) > 100,
          "Service Degradation via HTTP Flood",
        "HTTP Request Flood"
      )
    )
    $risk_score = if(
      count($e.metadata.id) > 2000 or sum(if($status_code >= 500, 1, 0)) > 500, 95,
      if(
        count($e.metadata.id) > 1000 or sum(if($status_code >= 500, 1, 0)) > 200, 75,
        55
      )
    )

  condition:
    #e > 500 or $status_5xx_count > 100
}

rule t1499_002_service_exhaustion_flood_network_alerts {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1499.002 Service Exhaustion Flood via network security alerts (firewall, IDS/IPS) reporting flood, DoS, SSL renegotiation, or connection exhaustion events from a single source."
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1499.002"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"
    created = "2026-04-19"

  events:
    // Network security device alerts
    $alert.metadata.event_type = "NETWORK_CONNECTION" or
    $alert.metadata.event_type = "GENERIC_EVENT"
    $alert.metadata.product_event_type != ""

    // Match flood/DoS related signatures
    (
      re.regex($alert.metadata.description, `(?i)(flood|denial.of.service|ssl.renegotiation|connection.limit|http.flood|dos.attack|rate.limit)`) or
      re.regex($alert.metadata.product_event_type, `(?i)(flood|dos|renegotiation|conn.limit|syn.flood)`) or
      re.regex($alert.security_result.summary, `(?i)(flood|denial|dos|renegotiation|exhaustion)`)
    )

    // High or critical severity network alerts only
    $alert.security_result.severity = "HIGH" or
    $alert.security_result.severity = "CRITICAL"

    $src_ip = $alert.principal.ip
    $dst_ip = $alert.target.ip
    $alert_name = $alert.security_result.summary

  match:
    $src_ip, $dst_ip over 5m

  outcome:
    $alert_count = count($alert.metadata.id)
    $unique_ports = count_distinct($alert.target.port)
    $flood_type = concat("Network_Alert: ", array_first(array_distinct($alert_name)))
    $risk_score = 85

  condition:
    #alert > 5
}

high severity medium confidence

Data Sources

Google Cloud HTTP Load Balancer logs (via Chronicle ingestion) Palo Alto Networks PAN-OS (via Chronicle Palo Alto ingestion parser) Fortinet FortiGate (via Chronicle Fortinet ingestion parser) AWS WAF and ALB access logs (via Chronicle AWS ingestion) Cloudflare WAF logs (via Chronicle Cloudflare ingestion) UDM NETWORK_HTTP events from any ingested web proxy or load balancer

Required Tables

UDM events (NETWORK_HTTP type) UDM events (NETWORK_CONNECTION and GENERIC_EVENT types for security alerts)

False Positives

Cloud provider health checks and load balancer probes from shared IP pools (AWS ELB health checker, GCP health check probes) that issue hundreds of requests per minute against application endpoints from a small set of internal IPs.
Content delivery network (CDN) origin pull requests where the CDN consolidates traffic from thousands of end users and forwards them as a burst from a small number of CDN PoP IPs, making legitimate traffic appear as a flood.
Automated regression testing pipelines (GitHub Actions, CircleCI) that execute load or stress tests against staging environments which share Chronicle log ingestion with production, causing alert fatigue during nightly test runs.
SaaS application webhooks with retry logic that attempt to deliver failed notifications repeatedly from a single IP within a short window if the destination is temporarily unavailable.

CrowdStrike LogScale (CQL)

cql

// Branch 1: HTTP flood detection via CrowdStrike network connection telemetry
// Detects high-volume outbound/inbound HTTP connections from a single endpoint
// indicating potential HTTP flood activity from a compromised host
#event_simpleName = "NetworkConnectIP4" OR #event_simpleName = "NetworkConnectIP6"
| RemotePort = 80 OR RemotePort = 443 OR RemotePort = 8080 OR RemotePort = 8443
| groupBy(
    [ComputerName, LocalAddressIP4, RemoteAddressIP4, RemotePort],
    function=[
      count(aid, as=TotalConnections),
      count(distinct(RemoteAddressIP4), as=UniqueTargets),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ],
    limit=max
  )
| TotalConnections > 500
| eval RequestsPerSecond = round(TotalConnections / 300, 2)
| eval FloodType = if(UniqueTargets == 1, "Single-Target HTTP Flood", "Multi-Target HTTP Flood")
| eval Severity = if(TotalConnections > 5000, "Critical",
    if(TotalConnections > 2000, "High", "Medium"))
| eval MITRETechnique = "T1499.002"
| eval DetectionSource = "CrowdStrike_NetworkConnect"
| table([
    ComputerName, LocalAddressIP4, RemoteAddressIP4, RemotePort,
    TotalConnections, RequestsPerSecond, UniqueTargets,
    FloodType, Severity, MITRETechnique, DetectionSource,
    FirstSeen, LastSeen
  ])
| sort(TotalConnections, order=desc)

// Branch 2: DNS flood detection via CrowdStrike DNS telemetry
// Detects high-volume DNS query bursts that may indicate DNS amplification/exhaustion
#event_simpleName = "DnsRequest"
| groupBy(
    [ComputerName, LocalAddressIP4],
    function=[
      count(aid, as=TotalDNSQueries),
      count(distinct(DomainName), as=UniqueDomains),
      count(distinct(RequestType), as=UniqueQueryTypes),
      values(DomainName, as=SampledDomains, limit=5)
    ],
    limit=max
  )
| TotalDNSQueries > 1000
| eval QueriesPerSecond = round(TotalDNSQueries / 300, 2)
| eval FloodIndicator = if(
    UniqueDomains < 5 and TotalDNSQueries > 1000,
      "DNS Amplification/Flood Suspected",
    if(
      UniqueQueryTypes == 1 and TotalDNSQueries > 2000,
        "Single-Type DNS Flood",
      "High-Volume DNS Activity"
    )
  )
| eval Severity = if(TotalDNSQueries > 10000, "Critical",
    if(TotalDNSQueries > 5000, "High", "Medium"))
| eval MITRETechnique = "T1499.002"
| eval DetectionSource = "CrowdStrike_DNSRequest"
| table([
    ComputerName, LocalAddressIP4, TotalDNSQueries, UniqueDomains,
    QueriesPerSecond, UniqueQueryTypes, SampledDomains,
    FloodIndicator, Severity, MITRETechnique, DetectionSource
  ])
| sort(TotalDNSQueries, order=desc)

// Branch 3: Process-initiated flood detection
// Detects known flood/stress-test tools by process name or command line
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(hping|hping3|wrk|ab\.exe|siege|slowloris|loic|hoic|goldeneye|torshammer|hulk|pyloris|thcssl|mdk3|xerxes|ufosyn|sockstress|t50\.exe|flood\.py|dosflood)/
    OR CommandLine = /(?i)(--flood|--syn-flood|ssl.renegotiation|renegotiation.attack|-flood|-dos|-stress|--slowloris)/
| groupBy(
    [ComputerName, UserName, ImageFileName, CommandLine],
    function=[
      count(aid, as=ExecutionCount),
      values(ParentImageFileName, as=ParentProcess),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| eval FloodType = "Known_Flood_Tool_Execution"
| eval Severity = "Critical"
| eval MITRETechnique = "T1499.002"
| eval DetectionSource = "CrowdStrike_ProcessRollup2"
| table([
    ComputerName, UserName, ImageFileName, CommandLine, ParentProcess,
    ExecutionCount, FloodType, Severity, MITRETechnique, DetectionSource,
    FirstSeen, LastSeen
  ])

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor — NetworkConnectIP4 events (#event_simpleName=NetworkConnectIP4) CrowdStrike Falcon sensor — NetworkConnectIP6 events (#event_simpleName=NetworkConnectIP6) CrowdStrike Falcon sensor — DnsRequest events (#event_simpleName=DnsRequest) CrowdStrike Falcon sensor — ProcessRollup2 events (#event_simpleName=ProcessRollup2)

Required Tables

CrowdStrike Falcon Data Replicator (FDR) event stream Humio/LogScale repository with FDR events

False Positives

Penetration testing engagements where authorized red team operators run tools like hping3, wrk, or ab (Apache Benchmark) against in-scope targets — validate against active engagement windows and authorized IP lists before escalating Branch 3 matches.
Developer workstations running local load tests against development environments using tools like k6, JMeter, or wrk that are bundled under innocuous process names or executed via script wrappers, potentially matching command-line patterns.
Network monitoring appliances or endpoint agents that establish many simultaneous connections to cloud telemetry endpoints for health reporting or event streaming, triggering Branch 1 volume thresholds without malicious intent.
High-frequency DNS resolvers or DNS prefetching mechanisms on busy workstations or browser-based kiosks that pre-resolve large numbers of domains from a browsed page, triggering Branch 2 DNS volume thresholds.

Last updated: 2026-04-19 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1499.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.001OS Exhaustion Flood T1499.003Application Exhaustion Flood T1499.004Application or System Exploitation

Service Exhaustion Flood

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections