T1499.002 Microsoft Sentinel · KQL

Detect Service Exhaustion Flood in Microsoft Sentinel

Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services through service exhaustion floods. A simple HTTP flood sends a large number of HTTP requests to a web server to overwhelm it and/or an application running on top of it, exhausting various resources required to provide the service. A SSL renegotiation attack takes advantage of a protocol feature in SSL/TLS where the adversary establishes a connection and then proceeds to make a series of renegotiation requests, exploiting the meaningful computational cost of cryptographic renegotiation to degrade or deny service when performed at volume. Both attack types target service availability without requiring exploitation of a software vulnerability.

MITRE ATT&CK

Tactic
Impact
Technique
T1499 Endpoint Denial of Service
Sub-technique
T1499.002 Service Exhaustion Flood
Canonical reference
https://attack.mitre.org/techniques/T1499/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1499.002 — Service Exhaustion Flood: Multi-source detection
// Branch 1: IIS HTTP flood — high request volume from single source in 5-minute windows
let FloodWindow = 5m;
let RequestFloodThreshold = 500;
let ErrorFloodThreshold = 100;
let IISFlood =
    W3CIISLog
    | where TimeGenerated > ago(1h)
    | summarize
        TotalRequests = count(),
        UniqueURIs = dcount(csUriStem),
        Status5xx = countif(scStatus >= 500),
        Status429 = countif(scStatus == 429),
        DistinctUserAgents = dcount(csUserAgent),
        TotalBytesSent = sum(scBytes)
      by SourceIP = cIP, TargetSite = sSiteName, TimeBin = bin(TimeGenerated, FloodWindow)
    | where TotalRequests > RequestFloodThreshold or Status5xx > ErrorFloodThreshold
    | extend RequestsPerSecond = round(toreal(TotalRequests) / 300, 2)
    | extend FloodType = case(
        UniqueURIs == 1 and TotalRequests > RequestFloodThreshold, "Single-Resource HTTP Flood",
        DistinctUserAgents == 1 and TotalRequests > 1000, "Simple HTTP Flood",
        Status5xx > ErrorFloodThreshold, "Service Degradation via HTTP Flood",
        "HTTP Request Flood"
      )
    | extend DetectionSource = "IIS_Log"
    | project TimeBin, SourceIP, TargetSite, TotalRequests, RequestsPerSecond,
              UniqueURIs, Status5xx, Status429, DistinctUserAgents, FloodType, DetectionSource;
// Branch 2: Azure Application Gateway WAF — flood/DoS rule triggers
let WAFFlood =
    AzureDiagnostics
    | where TimeGenerated > ago(1h)
    | where ResourceType == "APPLICATIONGATEWAYS"
    | where Category == "ApplicationGatewayFirewallLog"
    | where Message has_any ("flood", "DoS", "renegotiation", "connection limit", "rate limit", "SSL flood")
          or ruleGroup_s has_any ("DoS", "RCE", "HTTP")
    | summarize
        BlockedRequests = count(),
        UniqueRules = dcount(ruleId_s),
        UniqueTargetURIs = dcount(requestUri_s)
      by SourceIP = clientIp_s, TargetSite = hostname_s, TimeBin = bin(TimeGenerated, FloodWindow)
    | where BlockedRequests > 50
    | extend FloodType = "WAF_Blocked_Flood"
    | extend DetectionSource = "Azure_AppGateway_WAF"
    | project TimeBin, SourceIP, TargetSite, TotalRequests = BlockedRequests,
              RequestsPerSecond = round(toreal(BlockedRequests) / 300, 2),
              UniqueURIs = UniqueRules, Status5xx = BlockedRequests, Status429 = 0,
              DistinctUserAgents = 0, FloodType, DetectionSource;
// Branch 3: CommonSecurityLog — firewall/IDS flood and SSL renegotiation alerts (Palo Alto, Fortinet, CheckPoint)
let NetworkFlood =
    CommonSecurityLog
    | where TimeGenerated > ago(1h)
    | where Activity has_any ("flood", "DoS", "denial of service", "SSL renegotiation", "connection exhaustion", "HTTP flood", "SYN flood")
          or DeviceEventClassID has_any ("flood", "dos", "renegotiation", "conn-limit")
    | summarize
        AlertCount = count(),
        UniqueDestPorts = dcount(DestinationPort),
        AffectedTargets = dcount(DestinationIP)
      by SourceIP, DestinationIP, DeviceProduct, Activity, TimeBin = bin(TimeGenerated, FloodWindow)
    | extend FloodType = strcat("Network_Alert: ", Activity)
    | extend DetectionSource = DeviceProduct
    | project TimeBin, SourceIP, TargetSite = DestinationIP, TotalRequests = AlertCount,
              RequestsPerSecond = toreal(0), UniqueURIs = UniqueDestPorts, Status5xx = 0,
              Status429 = 0, DistinctUserAgents = 0, FloodType, DetectionSource;
// Union all detection branches
union isfuzzy=true IISFlood, WAFFlood, NetworkFlood
| sort by TotalRequests desc
high severity medium confidence

Detects Service Exhaustion Flood attacks (T1499.002) using three complementary Microsoft Sentinel data sources: (1) W3CIISLog — identifies HTTP floods from single source IPs by aggregating request counts, 5xx error rates, unique URIs, and distinct user agent counts in 5-minute windows. Flags single-resource floods, simple high-volume floods, and service degradation patterns. (2) AzureDiagnostics (Azure Application Gateway WAF) — surfaces WAF-blocked flood and DoS rule triggers including SSL renegotiation detection. (3) CommonSecurityLog — captures network-layer flood alerts from firewall and IDS devices (Palo Alto, Fortinet, CheckPoint) reporting HTTP floods, SSL renegotiation attacks, and connection exhaustion events. All branches project a unified schema for consistent alerting.

Data Sources

Network: Network TrafficApplication Log: Application Log ContentW3CIISLog (IIS Web Server Logs)AzureDiagnostics (Azure Application Gateway / WAF)CommonSecurityLog (Firewall/IDS CEF)

Required Tables

W3CIISLogAzureDiagnosticsCommonSecurityLog

False Positives & Tuning

  • Legitimate high-traffic events such as product launches, viral marketing campaigns, or news coverage driving genuine traffic spikes from many distributed users
  • Web scraping bots, SEO crawlers, and content aggregators that rapidly enumerate site content and generate high request volumes from single IP ranges
  • Load testing tools (Apache Bench, k6, Locust, JMeter, Gatling) used by development and QA teams against production or staging environments without prior notification
  • CDN edge nodes, reverse proxies, or shared NAT gateways that aggregate traffic from many legitimate users behind a single source IP, inflating per-IP counts
  • Automated monitoring, synthetic transaction tools, and health check agents that poll endpoints at high frequency
Download portable Sigma rule (.yml)

Other platforms for T1499.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1HTTP Flood via Apache Bench (ab)

    Expected signal: IIS/Apache access logs: 5000 GET requests from 127.0.0.1 to / within ~30-60 seconds, generating ~83-166 req/sec. Linux syslog: ab process creation if auditd enabled. Web server error logs: likely 500/503 responses if no service is running on port 80. Network flow data: single-flow burst pattern from source 127.0.0.1 to destination 127.0.0.1:80.

  2. Test 2HTTP Flood via Python requests (cross-platform)

    Expected signal: IIS W3C logs: 5000 GET requests from source IP 127.0.0.1 with Python requests User-Agent string within ~10-30 seconds. Windows Security Event 4688 (process create) for python3.exe with command line visible if command line auditing enabled. Sysmon Event 1: python3.exe process creation. Sysmon Event 3: multiple concurrent TCP connections from python3.exe to 127.0.0.1:80.

  3. Test 3SSL Renegotiation Exhaustion via openssl s_client

    Expected signal: Linux syslog/auditd: 20 concurrent openssl s_client process creations. TLS server logs (nginx ssl_error.log or Apache ssl_error.log): TLS renegotiation events or errors. Windows equivalent via Schannel: EventID 36874 or 36888 in System Event Log when server rejects or fails renegotiation. Network packet capture: multiple TLS ClientHello and Handshake records on port 443 followed by TLS Handshake (type 22) renegotiation records within existing sessions.

  4. Test 4Single-Resource HTTP Flood targeting application endpoint

    Expected signal: IIS/Apache access logs: 2000 GET requests to /search from 127.0.0.1 with distinct query strings, all within 2-3 minute window. Sysmon Event 1 (if enabled): multiple curl process creation events. Sysmon Event 3: TCP connections from curl to 127.0.0.1:80. Web server logs: potential 404 or 500 responses if /search endpoint does not exist.

Last updated: 2026-04-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1499.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1499Endpoint Denial of Service

Related Sub-techniques

T1499.001OS Exhaustion FloodT1499.003Application Exhaustion FloodT1499.004Application or System Exploitation

Related Techniques

T1499Endpoint Denial of ServiceT1499.001OS Exhaustion FloodT1499.003Application Exhaustion FloodT1498Network Denial of ServiceT1498.001Direct Network FloodT1498.002Reflection AmplificationT1489Service StopT1491.002External DefacementT1071.001Web Protocols

Same Tactic: Impact

Popular Detections