let sql_patterns = dynamic([@"1/*'*/", @"1'||'asd'||'", @"'1'='1", @"1' or '1'='1", @"1 or 1=1", @"1=1", @"1/*!1111'*/", @"'or''='"]);
NGINXHTTPServer
| where UrlOriginal has_any (sql_patterns)
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
queryPeriod: 10m
description: |
'Detects possible sql injection patterns'
kind: Scheduled
query: |
let sql_patterns = dynamic([@"1/*'*/", @"1'||'asd'||'", @"'1'='1", @"1' or '1'='1", @"1 or 1=1", @"1=1", @"1/*!1111'*/", @"'or''='"]);
NGINXHTTPServer
| where UrlOriginal has_any (sql_patterns)
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
tactics:
- InitialAccess
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXSqlPattern.yaml
id: 3bac451d-f919-4c92-9be7-694990e0ca4b
version: 1.0.3
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
triggerThreshold: 0
status: Available
relevantTechniques:
- T1190
name: NGINX - Sql injection patterns
severity: High
requiredDataConnectors:
- dataTypes:
- NGINX_CL
connectorId: CustomLogsAma
queryFrequency: 10m
