SQL Injection

Back


Id	6219dcff-ea59-414b-98f3-0938b9ad3459
Rulename	SQL Injection
Description	SQL injection is a malicious technique where attackers exploit vulnerabilities in web applications to inject unauthorized SQL commands into the database. By carefully crafting input data, attackers can manipulate the SQL queries executed by the application, potentially leading to unauthorized data access, data modification, or even complete database compromise.
Severity	Medium
Tactics	Impact
Techniques	T1516
Required data connectors	ContrastADR
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_ingestion.yaml
Version	1.0.0
Arm template	6219dcff-ea59-414b-98f3-0938b9ad3459.json

KQL

ContrastADR_CL | where rule_s == "sql-injection"

YAML

requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
tactics:
- Impact
description: |
    'SQL injection is a malicious technique where attackers exploit vulnerabilities in web applications to inject unauthorized SQL commands into the database. By carefully crafting input data, attackers can manipulate the SQL queries executed by the application, potentially leading to unauthorized data access, data modification, or even complete database compromise.'
query: ContrastADR_CL | where rule_s == "sql-injection"
id: 6219dcff-ea59-414b-98f3-0938b9ad3459
triggerOperator: gt
relevantTechniques:
- T1516
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_ingestion.yaml
queryFrequency: 5m
severity: Medium
entityMappings:
- fieldMappings:
  - columnName: uiUrl_s
    identifier: Url
  entityType: URL
name: SQL Injection
queryPeriod: 5m
kind: Scheduled
triggerThreshold: 0
version: 1.0.0
status: Available

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6219dcff-ea59-414b-98f3-0938b9ad3459')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6219dcff-ea59-414b-98f3-0938b9ad3459')]",
      "properties": {
        "alertRuleTemplateName": "6219dcff-ea59-414b-98f3-0938b9ad3459",
        "customDetails": null,
        "description": "'SQL injection is a malicious technique where attackers exploit vulnerabilities in web applications to inject unauthorized SQL commands into the database. By carefully crafting input data, attackers can manipulate the SQL queries executed by the application, potentially leading to unauthorized data access, data modification, or even complete database compromise.'\n",
        "displayName": "SQL Injection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "uiUrl_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_ingestion.yaml",
        "query": "ContrastADR_CL | where rule_s == \"sql-injection\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}