let sql_patterns = dynamic([@"1/*'*/", @"1'||'asd'||'", @"'1'='1", @"1' or '1'='1", @"1 or 1=1", @"1=1", @"1/*!1111'*/", @"'or''='"]);
NGINXHTTPServer
| where UrlOriginal has_any (sql_patterns)
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
triggerThreshold: 0
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: URL
fieldMappings:
- identifier: Url
columnName: UrlCustomEntity
requiredDataConnectors:
- dataTypes:
- NGINX_CL
connectorId: CustomLogsAma
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXSqlPattern.yaml
name: NGINX - Sql injection patterns
relevantTechniques:
- T1190
status: Available
version: 1.0.3
queryPeriod: 10m
kind: Scheduled
id: 3bac451d-f919-4c92-9be7-694990e0ca4b
query: |
let sql_patterns = dynamic([@"1/*'*/", @"1'||'asd'||'", @"'1'='1", @"1' or '1'='1", @"1 or 1=1", @"1=1", @"1/*!1111'*/", @"'or''='"]);
NGINXHTTPServer
| where UrlOriginal has_any (sql_patterns)
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
description: |
'Detects possible sql injection patterns'
queryFrequency: 10m
severity: High
triggerOperator: gt
tactics:
- InitialAccess
