Managed Sentinel – Alert 215
| Alert ID | MS-A215 |
| Alert Name | IIS pages generating errors (Status 500s) |
| Description | This alert identifies IIS website pages that generate errors (Status code 500+). |
| Severity Level | Informational |
| Threat Indicator | Misconfiguration |
| MITRE ATT&CK Tactics | Execution |
| Log sources | Web Traffic |
| False Positive | |
| Recommendations | The 500 Internal Server Error is a very general HTTP status code that means something has gone wrong on the website's server, but the server could not be more specific on what the exact problem is. 1. Contact your web site administrator and ask for remediation tasks. 2. Perform an investigation in Azure Sentinel to understand if any abnormal activities were seen to the specific web site. (Other alerts related to the same entity) Typical remediation tasks are: - A Permissions Error. In most cases, a 500 Internal Server Error is due to an incorrect permission on one or more files or folders. In most of those cases, an incorrect permission on a PHP and CGI script is to blame. These should usually be set at 0755 (-rwxr-xr-x). - A PHP Timeout. If your script connects to external resources and those resources timeout, an HTTP 500 error can occur. Timeout rules, or better error handling in your script, should help if this is the cause of the 500 error. - A Coding Error in .htaccess. While not as common, be sure to check that your site's .htaccess file is properly structured. |