Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Contrast ADR - DLP SQL Injection Correlation

Back
Id1aac7737-d52f-483d-b225-6a27c1b29a9e
RulenameContrast ADR - DLP SQL Injection Correlation
DescriptionDetects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses and may result in data exfiltration or unauthorized database access.
SeverityHigh
TacticsInitialAccess
CredentialAccess
Collection
Exfiltration
CommandAndControl
Reconnaissance
CredentialAccess
LateralMovement
Discovery
TechniquesT1190
T1552
T1005
T1041
T1008
T1590
T1571
T1528
T1021
T1046
Required data connectorsContrastADR
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml
Version1.0.0
Arm template1aac7737-d52f-483d-b225-6a27c1b29a9e.json
Deploy To Azure
ContrastADR_CL
| where result_s =~ "EXPLOITED" and rule_s =~ "SQL-INJECTION"
| project-rename hostname_s = host_hostname_s
//please add your DLP logs table in place of ContrastWAFLogs_CL and hostname colomun in place of hostname_s below and uncomment the queries below
//| join kind= inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on hostname_s
name: Contrast ADR - DLP SQL Injection Correlation
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml
queryPeriod: 5m
version: 1.0.0
severity: High
id: 1aac7737-d52f-483d-b225-6a27c1b29a9e
triggerOperator: gt
triggerThreshold: 0
kind: Scheduled
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    groupByEntities:
    - Host
    - IP
    lookbackDuration: PT30M
    enabled: true
    matchingMethod: Selected
requiredDataConnectors:
- dataTypes:
  - ContrastADR_CL
  connectorId: ContrastADR
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1190
- T1552
- T1005
- T1041
- T1008
- T1590
- T1571
- T1528
- T1021
- T1046
description: |
    'Detects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses and may result in data exfiltration or unauthorized database access.'
alertDetailsOverride:
  alertDescriptionFormat: 'Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
  alertDisplayNameFormat: 'Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
query: |
  ContrastADR_CL
  | where result_s =~ "EXPLOITED" and rule_s =~ "SQL-INJECTION"
  | project-rename hostname_s = host_hostname_s
  //please add your DLP logs table in place of ContrastWAFLogs_CL and hostname colomun in place of hostname_s below and uncomment the queries below
  //| join kind= inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on hostname_s  
tactics:
- InitialAccess
- CredentialAccess
- Collection
- Exfiltration
- CommandAndControl
- Reconnaissance
- CredentialAccess
- LateralMovement
- Discovery
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
status: Available
queryFrequency: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1aac7737-d52f-483d-b225-6a27c1b29a9e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1aac7737-d52f-483d-b225-6a27c1b29a9e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} ",
          "alertDisplayNameFormat": "Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} "
        },
        "alertRuleTemplateName": "1aac7737-d52f-483d-b225-6a27c1b29a9e",
        "customDetails": null,
        "description": "'Detects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses and may result in data exfiltration or unauthorized database access.'\n",
        "displayName": "Contrast ADR - DLP SQL Injection Correlation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "host_hostname_s",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByEntities": [
              "Host",
              "IP"
            ],
            "lookbackDuration": "PT30M",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml",
        "query": "ContrastADR_CL\n| where result_s =~ \"EXPLOITED\" and rule_s =~ \"SQL-INJECTION\"\n| project-rename hostname_s = host_hostname_s\n//please add your DLP logs table in place of ContrastWAFLogs_CL and hostname colomun in place of hostname_s below and uncomment the queries below\n//| join kind= inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on hostname_s\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "Discovery",
          "Exfiltration",
          "InitialAccess",
          "LateralMovement",
          "Reconnaissance"
        ],
        "techniques": [
          "T1005",
          "T1008",
          "T1021",
          "T1041",
          "T1046",
          "T1190",
          "T1528",
          "T1552",
          "T1571",
          "T1590"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}