Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Contrast ADR - DLP SQL Injection Correlation

Contrast ADR - DLP SQL Injection Correlation

Back
Id1aac7737-d52f-483d-b225-6a27c1b29a9e
RulenameContrast ADR - DLP SQL Injection Correlation
DescriptionDetects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses and may result in data exfiltration or unauthorized database access.
SeverityHigh
TacticsInitialAccess
CredentialAccess
Collection
Exfiltration
CommandAndControl
Reconnaissance
CredentialAccess
LateralMovement
Discovery
TechniquesT1190
T1552
T1005
T1041
T1008
T1590
T1571
T1528
T1021
T1046
Required data connectorsContrastADR
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml
Version1.0.0
Arm template1aac7737-d52f-483d-b225-6a27c1b29a9e.json
Deploy To Azure
ContrastADR_CL
| where result_s =~ "EXPLOITED" and rule_s =~ "SQL-INJECTION"
| project-rename hostname_s = host_hostname_s
//please add your DLP logs table in place of ContrastWAFLogs_CL and hostname colomun in place of hostname_s below and uncomment the queries below
//| join kind= inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on hostname_s

kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: 'Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
  alertDescriptionFormat: 'Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
description: |
    'Detects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses and may result in data exfiltration or unauthorized database access.'
severity: High
queryFrequency: 5m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT30M
    matchingMethod: Selected
    enabled: true
    groupByEntities:
    - Host
    - IP
  createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1190
- T1552
- T1005
- T1041
- T1008
- T1590
- T1571
- T1528
- T1021
- T1046
status: Available
tactics:
- InitialAccess
- CredentialAccess
- Collection
- Exfiltration
- CommandAndControl
- Reconnaissance
- CredentialAccess
- LateralMovement
- Discovery
name: Contrast ADR - DLP SQL Injection Correlation
id: 1aac7737-d52f-483d-b225-6a27c1b29a9e
query: |
  ContrastADR_CL
  | where result_s =~ "EXPLOITED" and rule_s =~ "SQL-INJECTION"
  | project-rename hostname_s = host_hostname_s
  //please add your DLP logs table in place of ContrastWAFLogs_CL and hostname colomun in place of hostname_s below and uncomment the queries below
  //| join kind= inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on hostname_s  
requiredDataConnectors:
- dataTypes:
  - ContrastADR_CL
  connectorId: ContrastADR
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml
queryPeriod: 5m

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1aac7737-d52f-483d-b225-6a27c1b29a9e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1aac7737-d52f-483d-b225-6a27c1b29a9e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} ",
          "alertDisplayNameFormat": "Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} "
        },
        "alertRuleTemplateName": "1aac7737-d52f-483d-b225-6a27c1b29a9e",
        "customDetails": null,
        "description": "'Detects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses and may result in data exfiltration or unauthorized database access.'\n",
        "displayName": "Contrast ADR - DLP SQL Injection Correlation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "host_hostname_s",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByEntities": [
              "Host",
              "IP"
            ],
            "lookbackDuration": "PT30M",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml",
        "query": "ContrastADR_CL\n| where result_s =~ \"EXPLOITED\" and rule_s =~ \"SQL-INJECTION\"\n| project-rename hostname_s = host_hostname_s\n//please add your DLP logs table in place of ContrastWAFLogs_CL and hostname colomun in place of hostname_s below and uncomment the queries below\n//| join kind= inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on hostname_s\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "Discovery",
          "Exfiltration",
          "InitialAccess",
          "LateralMovement",
          "Reconnaissance"
        ],
        "techniques": [
          "T1005",
          "T1008",
          "T1021",
          "T1041",
          "T1046",
          "T1190",
          "T1528",
          "T1552",
          "T1571",
          "T1590"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}