let sql_patterns = dynamic([@"1/*'*/", @"1'||'asd'||'", @"'1'='1", @"1' or '1'='1", @"1 or 1=1", @"1=1", @"1/*!1111'*/", @"'or''='"]);
NGINXHTTPServer
| where UrlOriginal has_any (sql_patterns)
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
query: |
let sql_patterns = dynamic([@"1/*'*/", @"1'||'asd'||'", @"'1'='1", @"1' or '1'='1", @"1 or 1=1", @"1=1", @"1/*!1111'*/", @"'or''='"]);
NGINXHTTPServer
| where UrlOriginal has_any (sql_patterns)
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
version: 1.0.3
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXSqlPattern.yaml
status: Available
description: |
'Detects possible sql injection patterns'
queryFrequency: 10m
name: NGINX - Sql injection patterns
kind: Scheduled
triggerThreshold: 0
id: 3bac451d-f919-4c92-9be7-694990e0ca4b
requiredDataConnectors:
- connectorId: CustomLogsAma
dataTypes:
- NGINX_CL
severity: High
queryPeriod: 10m
entityMappings:
- fieldMappings:
- columnName: IPCustomEntity
identifier: Address
entityType: IP
- fieldMappings:
- columnName: UrlCustomEntity
identifier: Url
entityType: URL
relevantTechniques:
- T1190
tactics:
- InitialAccess
