Contrast ADR - DLP SQL Injection Correlation
| Id | 1aac7737-d52f-483d-b225-6a27c1b29a9e |
| Rulename | Contrast ADR - DLP SQL Injection Correlation |
| Description | Detects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses and may result in data exfiltration or unauthorized database access. |
| Severity | High |
| Tactics | InitialAccess CredentialAccess Collection Exfiltration CommandAndControl Reconnaissance CredentialAccess LateralMovement Discovery |
| Techniques | T1190 T1552 T1005 T1041 T1008 T1590 T1571 T1528 T1021 T1046 |
| Required data connectors | ContrastADRCCF |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml |
| Version | 1.0.1 |
| Arm template | 1aac7737-d52f-483d-b225-6a27c1b29a9e.json |
ContrastADRAttackEvents_CL
| where result =~ "EXPLOITED" and rule =~ "SQL-INJECTION"
| project-rename hostname = host_hostname
//please add your DLP logs table in place of ContrastWAFLogs_CL and hostname colomun in place of hostname below and uncomment the queries below
//| join kind= inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on hostname
relevantTechniques:
- T1190
- T1552
- T1005
- T1041
- T1008
- T1590
- T1571
- T1528
- T1021
- T1046
name: Contrast ADR - DLP SQL Injection Correlation
version: 1.0.1
entityMappings:
- fieldMappings:
- columnName: sourceIp
identifier: Address
entityType: IP
- fieldMappings:
- columnName: hostname
identifier: HostName
entityType: Host
triggerThreshold: 0
alertDetailsOverride:
alertDisplayNameFormat: 'Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer}} endpoint of {{application_name}} '
alertDescriptionFormat: 'Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer}} endpoint of {{application_name}} '
kind: Scheduled
queryFrequency: 5m
description: |
'Detects successful SQL injection attacks identified by Contrast ADR and correlates them with WAF/DLP logs. This rule identifies critical database security breaches that have bypassed initial defenses and may result in data exfiltration or unauthorized database access.'
queryPeriod: 5m
id: 1aac7737-d52f-483d-b225-6a27c1b29a9e
requiredDataConnectors:
- connectorId: ContrastADRCCF
dataTypes:
- ContrastADRAttackEvents_CL
tactics:
- InitialAccess
- CredentialAccess
- Collection
- Exfiltration
- CommandAndControl
- Reconnaissance
- CredentialAccess
- LateralMovement
- Discovery
severity: High
status: Available
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml
query: |
ContrastADRAttackEvents_CL
| where result =~ "EXPLOITED" and rule =~ "SQL-INJECTION"
| project-rename hostname = host_hostname
//please add your DLP logs table in place of ContrastWAFLogs_CL and hostname colomun in place of hostname below and uncomment the queries below
//| join kind= inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on hostname
triggerOperator: gt
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByEntities:
- Host
- IP
reopenClosedIncident: false
enabled: true
matchingMethod: Selected
lookbackDuration: PT30M