let sql_patterns = dynamic([@"1/*'*/", @"1'||'asd'||'", @"'1'='1", @"1' or '1'='1", @"1 or 1=1", @"1=1", @"1/*!1111'*/", @"'or''='"]);
NGINXHTTPServer
| where UrlOriginal has_any (sql_patterns)
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
description: |
'Detects possible sql injection patterns'
version: 1.0.3
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX HTTP Server/Analytic Rules/NGINXSqlPattern.yaml
triggerOperator: gt
status: Available
id: 3bac451d-f919-4c92-9be7-694990e0ca4b
name: NGINX - Sql injection patterns
queryFrequency: 10m
severity: High
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: IPCustomEntity
identifier: Address
entityType: IP
- fieldMappings:
- columnName: UrlCustomEntity
identifier: Url
entityType: URL
relevantTechniques:
- T1190
query: |
let sql_patterns = dynamic([@"1/*'*/", @"1'||'asd'||'", @"'1'='1", @"1' or '1'='1", @"1 or 1=1", @"1=1", @"1/*!1111'*/", @"'or''='"]);
NGINXHTTPServer
| where UrlOriginal has_any (sql_patterns)
| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal
requiredDataConnectors:
- dataTypes:
- NGINX_CL
connectorId: CustomLogsAma
