NGINX - Sql injection patterns

Back


Id	3bac451d-f919-4c92-9be7-694990e0ca4b
Rulename	NGINX - Sql injection patterns
Description	Detects possible sql injection patterns
Severity	High
Tactics	InitialAccess
Techniques	T1190
Required data connectors	CustomLogsAma
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXSqlPattern.yaml
Version	1.0.3
Arm template	3bac451d-f919-4c92-9be7-694990e0ca4b.json

KQL

let sql_patterns = dynamic([@"1/*'*/", @"1'||'asd'||'", @"'1'='1", @"1' or '1'='1", @"1 or 1=1", @"1=1", @"1/*!1111'*/", @"'or''='"]);
NGINXHTTPServer
| where UrlOriginal has_any (sql_patterns)
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal

YAML

requiredDataConnectors:
- dataTypes:
  - NGINX_CL
  connectorId: CustomLogsAma
relevantTechniques:
- T1190
triggerOperator: gt
version: 1.0.3
queryFrequency: 10m
severity: High
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
  entityType: URL
name: NGINX - Sql injection patterns
query: |
  let sql_patterns = dynamic([@"1/*'*/", @"1'||'asd'||'", @"'1'='1", @"1' or '1'='1", @"1 or 1=1", @"1=1", @"1/*!1111'*/", @"'or''='"]);
  NGINXHTTPServer
  | where UrlOriginal has_any (sql_patterns)
  | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal  
tactics:
- InitialAccess
queryPeriod: 10m
description: |
    'Detects possible sql injection patterns'
kind: Scheduled
id: 3bac451d-f919-4c92-9be7-694990e0ca4b
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXSqlPattern.yaml
status: Available

ARM