Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Contrast ADR - DLP SQL Injection Correlation

Contrast ADR - DLP SQL Injection Correlation

Back
Id1aac7737-d52f-483d-b225-6a27c1b29a9e
RulenameContrast ADR - DLP SQL Injection Correlation
DescriptionDetects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses and may result in data exfiltration or unauthorized database access.
SeverityHigh
TacticsInitialAccess
CredentialAccess
Collection
Exfiltration
CommandAndControl
Reconnaissance
CredentialAccess
LateralMovement
Discovery
TechniquesT1190
T1552
T1005
T1041
T1008
T1590
T1571
T1528
T1021
T1046
Required data connectorsContrastADR
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml
Version1.0.0
Arm template1aac7737-d52f-483d-b225-6a27c1b29a9e.json
Deploy To Azure
ContrastADR_CL
| where result_s =~ "EXPLOITED" and rule_s =~ "SQL-INJECTION"
| project-rename hostname_s = host_hostname_s
//please add your DLP logs table in place of ContrastWAFLogs_CL and hostname colomun in place of hostname_s below and uncomment the queries below
//| join kind= inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on hostname_s

triggerOperator: gt
description: |
    'Detects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses and may result in data exfiltration or unauthorized database access.'
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities:
    - Host
    - IP
    matchingMethod: Selected
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: PT30M
status: Available
requiredDataConnectors:
- dataTypes:
  - ContrastADR_CL
  connectorId: ContrastADR
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
id: 1aac7737-d52f-483d-b225-6a27c1b29a9e
query: |
  ContrastADR_CL
  | where result_s =~ "EXPLOITED" and rule_s =~ "SQL-INJECTION"
  | project-rename hostname_s = host_hostname_s
  //please add your DLP logs table in place of ContrastWAFLogs_CL and hostname colomun in place of hostname_s below and uncomment the queries below
  //| join kind= inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on hostname_s  
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: host_hostname_s
  entityType: Host
name: Contrast ADR - DLP SQL Injection Correlation
severity: High
alertDetailsOverride:
  alertDisplayNameFormat: 'Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
  alertDescriptionFormat: 'Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
queryPeriod: 5m
version: 1.0.0
relevantTechniques:
- T1190
- T1552
- T1005
- T1041
- T1008
- T1590
- T1571
- T1528
- T1021
- T1046
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
- Collection
- Exfiltration
- CommandAndControl
- Reconnaissance
- CredentialAccess
- LateralMovement
- Discovery
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1aac7737-d52f-483d-b225-6a27c1b29a9e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1aac7737-d52f-483d-b225-6a27c1b29a9e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} ",
          "alertDisplayNameFormat": "Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} "
        },
        "alertRuleTemplateName": "1aac7737-d52f-483d-b225-6a27c1b29a9e",
        "customDetails": null,
        "description": "'Detects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses and may result in data exfiltration or unauthorized database access.'\n",
        "displayName": "Contrast ADR - DLP SQL Injection Correlation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "host_hostname_s",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByEntities": [
              "Host",
              "IP"
            ],
            "lookbackDuration": "PT30M",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml",
        "query": "ContrastADR_CL\n| where result_s =~ \"EXPLOITED\" and rule_s =~ \"SQL-INJECTION\"\n| project-rename hostname_s = host_hostname_s\n//please add your DLP logs table in place of ContrastWAFLogs_CL and hostname colomun in place of hostname_s below and uncomment the queries below\n//| join kind= inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on hostname_s\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "Discovery",
          "Exfiltration",
          "InitialAccess",
          "LateralMovement",
          "Reconnaissance"
        ],
        "techniques": [
          "T1005",
          "T1008",
          "T1021",
          "T1041",
          "T1046",
          "T1190",
          "T1528",
          "T1552",
          "T1571",
          "T1590"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}