SQL Injection

ContrastADR_CL | where rule_s == "cmd-injection"

entityMappings:
- fieldMappings:
  - columnName: uiUrl_s
    identifier: Url
  entityType: URL
triggerThreshold: 0
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/ContrastADR_Command_Injestion.yaml
queryFrequency: 5m
status: Available
relevantTechniques:
- T1516
triggerOperator: gt
id: 4a6f6b20-f22c-455c-bce1-67258306544a
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
version: 1.0.0
name: SQL Injection
description: |
    'Command injection is a malicious technique where attackers exploit vulnerabilities in web applications to inject and execute arbitrary operating system (OS) commands on the server. By manipulating input data, attackers can manipulate the application's execution flow, tricking it into running unintended system commands.This can result in data breaches, system compromise, etc. Contrast uses various detection capabilities for Command Injection. Some track malicious input into commands being run, some detect sensitive file paths being accessed, and so forth.'
query: ContrastADR_CL | where rule_s == "cmd-injection"
tactics:
- Impact
queryPeriod: 5m
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4a6f6b20-f22c-455c-bce1-67258306544a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4a6f6b20-f22c-455c-bce1-67258306544a')]",
      "properties": {
        "alertRuleTemplateName": "4a6f6b20-f22c-455c-bce1-67258306544a",
        "customDetails": null,
        "description": "'Command injection is a malicious technique where attackers exploit vulnerabilities in web applications to inject and execute arbitrary operating system (OS) commands on the server. By manipulating input data, attackers can manipulate the application's execution flow, tricking it into running unintended system commands.This can result in data breaches, system compromise, etc. Contrast uses various detection capabilities for Command Injection. Some track malicious input into commands being run, some detect sensitive file paths being accessed, and so forth.'\n",
        "displayName": "SQL Injection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "uiUrl_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/ContrastADR_Command_Injestion.yaml",
        "query": "ContrastADR_CL | where rule_s == \"cmd-injection\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}