Contrast ADR - DLP SQL Injection Correlation
| Id | 1aac7737-d52f-483d-b225-6a27c1b29a9e |
| Rulename | Contrast ADR - DLP SQL Injection Correlation |
| Description | Detects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses and may result in data exfiltration or unauthorized database access. |
| Severity | High |
| Tactics | InitialAccess CredentialAccess Collection Exfiltration CommandAndControl Reconnaissance CredentialAccess LateralMovement Discovery |
| Techniques | T1190 T1552 T1005 T1041 T1008 T1590 T1571 T1528 T1021 T1046 |
| Required data connectors | ContrastADR |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml |
| Version | 1.0.0 |
| Arm template | 1aac7737-d52f-483d-b225-6a27c1b29a9e.json |
ContrastADR_CL
| where result_s =~ "EXPLOITED" and rule_s =~ "SQL-INJECTION"
| project-rename hostname_s = host_hostname_s
//please add your DLP logs table in place of ContrastWAFLogs_CL and hostname colomun in place of hostname_s below and uncomment the queries below
//| join kind= inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on hostname_s
description: |
'Detects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses and may result in data exfiltration or unauthorized database access.'
version: 1.0.0
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
- Collection
- Exfiltration
- CommandAndControl
- Reconnaissance
- CredentialAccess
- LateralMovement
- Discovery
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml
triggerOperator: gt
status: Available
alertDetailsOverride:
alertDisplayNameFormat: 'Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} '
alertDescriptionFormat: 'Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} '
eventGroupingSettings:
aggregationKind: AlertPerResult
id: 1aac7737-d52f-483d-b225-6a27c1b29a9e
name: Contrast ADR - DLP SQL Injection Correlation
queryFrequency: 5m
severity: High
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
groupByEntities:
- Host
- IP
reopenClosedIncident: false
matchingMethod: Selected
lookbackDuration: PT30M
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: SourceIP
identifier: Address
entityType: IP
- fieldMappings:
- columnName: host_hostname_s
identifier: HostName
entityType: Host
relevantTechniques:
- T1190
- T1552
- T1005
- T1041
- T1008
- T1590
- T1571
- T1528
- T1021
- T1046
query: |
ContrastADR_CL
| where result_s =~ "EXPLOITED" and rule_s =~ "SQL-INJECTION"
| project-rename hostname_s = host_hostname_s
//please add your DLP logs table in place of ContrastWAFLogs_CL and hostname colomun in place of hostname_s below and uncomment the queries below
//| join kind= inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on hostname_s
requiredDataConnectors:
- dataTypes:
- ContrastADR_CL
connectorId: ContrastADR