--- title: AWS ELB HTTP requests from security scanner description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > AWS ELB HTTP requests from security scanner --- # AWS ELB HTTP requests from security scanner Classification:attackTactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1190-exploit-public-facing-application](https://attack.mitre.org/techniques/T1190) ## Goal{% #goal %} Detect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous `@http.useragent`. ## Strategy{% #strategy %} Inspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from [darkqusar](https://gist.github.com/darkquasar)'s [gist](https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380). The detection does this using 2 cases: - Case 1: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `200 TO 299` - Case 2: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `400 TO 499` ## Triage and response{% #triage-and-response %} 1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application. 1. Check if these authentication requests are successful. - If they are successful, change the status of the signal to `UNDER REVIEW` and begin your company's incident response plan. - If they are not successful, `ARCHIVE` the signal. **NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise](https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise) blog. ## Changelog{% #changelog %} 4 April 2022 - Updated rule cases and signal message.