SQL Injection

Back


Id	6219dcff-ea59-414b-98f3-0938b9ad3459
Rulename	SQL Injection
Description	SQL injection is a malicious technique where attackers exploit vulnerabilities in web applications to inject unauthorized SQL commands into the database. By carefully crafting input data, attackers can manipulate the SQL queries executed by the application, potentially leading to unauthorized data access, data modification, or even complete database compromise.
Severity	Medium
Tactics	Impact
Techniques	T1516
Required data connectors	ContrastADR
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_ingestion.yaml
Version	1.0.0
Arm template	6219dcff-ea59-414b-98f3-0938b9ad3459.json

KQL

ContrastADR_CL | where rule_s == "sql-injection"

YAML

description: |
    'SQL injection is a malicious technique where attackers exploit vulnerabilities in web applications to inject unauthorized SQL commands into the database. By carefully crafting input data, attackers can manipulate the SQL queries executed by the application, potentially leading to unauthorized data access, data modification, or even complete database compromise.'
tactics:
- Impact
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_ingestion.yaml
query: ContrastADR_CL | where rule_s == "sql-injection"
version: 1.0.0
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: uiUrl_s
    identifier: Url
id: 6219dcff-ea59-414b-98f3-0938b9ad3459
kind: Scheduled
relevantTechniques:
- T1516
severity: Medium
triggerThreshold: 0
triggerOperator: gt
name: SQL Injection
queryFrequency: 5m
status: Available

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6219dcff-ea59-414b-98f3-0938b9ad3459')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6219dcff-ea59-414b-98f3-0938b9ad3459')]",
      "properties": {
        "alertRuleTemplateName": "6219dcff-ea59-414b-98f3-0938b9ad3459",
        "customDetails": null,
        "description": "'SQL injection is a malicious technique where attackers exploit vulnerabilities in web applications to inject unauthorized SQL commands into the database. By carefully crafting input data, attackers can manipulate the SQL queries executed by the application, potentially leading to unauthorized data access, data modification, or even complete database compromise.'\n",
        "displayName": "SQL Injection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "uiUrl_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_ingestion.yaml",
        "query": "ContrastADR_CL | where rule_s == \"sql-injection\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}