SQL Injection

Back


Id	6219dcff-ea59-414b-98f3-0938b9ad3459
Rulename	SQL Injection
Description	SQL injection is a malicious technique where attackers exploit vulnerabilities in web applications to inject unauthorized SQL commands into the database. By carefully crafting input data, attackers can manipulate the SQL queries executed by the application, potentially leading to unauthorized data access, data modification, or even complete database compromise.
Severity	Medium
Tactics	Impact
Techniques	T1516
Required data connectors	ContrastADR
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_ingestion.yaml
Version	1.0.0
Arm template	6219dcff-ea59-414b-98f3-0938b9ad3459.json

KQL

ContrastADR_CL | where rule_s == "sql-injection"

YAML

entityMappings:
- fieldMappings:
  - columnName: uiUrl_s
    identifier: Url
  entityType: URL
triggerThreshold: 0
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_ingestion.yaml
queryFrequency: 5m
status: Available
relevantTechniques:
- T1516
triggerOperator: gt
id: 6219dcff-ea59-414b-98f3-0938b9ad3459
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
version: 1.0.0
name: SQL Injection
description: |
    'SQL injection is a malicious technique where attackers exploit vulnerabilities in web applications to inject unauthorized SQL commands into the database. By carefully crafting input data, attackers can manipulate the SQL queries executed by the application, potentially leading to unauthorized data access, data modification, or even complete database compromise.'
query: ContrastADR_CL | where rule_s == "sql-injection"
tactics:
- Impact
queryPeriod: 5m
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6219dcff-ea59-414b-98f3-0938b9ad3459')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6219dcff-ea59-414b-98f3-0938b9ad3459')]",
      "properties": {
        "alertRuleTemplateName": "6219dcff-ea59-414b-98f3-0938b9ad3459",
        "customDetails": null,
        "description": "'SQL injection is a malicious technique where attackers exploit vulnerabilities in web applications to inject unauthorized SQL commands into the database. By carefully crafting input data, attackers can manipulate the SQL queries executed by the application, potentially leading to unauthorized data access, data modification, or even complete database compromise.'\n",
        "displayName": "SQL Injection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "uiUrl_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_ingestion.yaml",
        "query": "ContrastADR_CL | where rule_s == \"sql-injection\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}