Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SQL Injection

SQL Injection

Back
Id6df2cdb0-1a3d-4c29-86f4-d5e3c93508ea
RulenameSQL Injection
DescriptionMethod Tampering (aka verb tampering or HTTP method tampering) is an attack where an attacker manipulates the HTTP method used in a request to a web application. Providing unexpected HTTP methods can sometimes bypass authentication, authorization or other security mechanisms.
SeverityMedium
TacticsImpact
TechniquesT1516
Required data connectorsContrastADR
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR__HTTP_Method_Tampering.yaml
Version1.0.0
Arm template6df2cdb0-1a3d-4c29-86f4-d5e3c93508ea.json
Deploy To Azure
ContrastADR_CL | where rule_s == "method-tampering"

entityMappings:
- fieldMappings:
  - columnName: uiUrl_s
    identifier: Url
  entityType: URL
triggerThreshold: 0
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR__HTTP_Method_Tampering.yaml
queryFrequency: 5m
status: Available
relevantTechniques:
- T1516
triggerOperator: gt
id: 6df2cdb0-1a3d-4c29-86f4-d5e3c93508ea
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
version: 1.0.0
name: SQL Injection
description: |
    'Method Tampering (aka verb tampering or HTTP method tampering) is an attack where an attacker manipulates the HTTP method used in a request to a web application. Providing unexpected HTTP methods can sometimes bypass authentication, authorization or other security mechanisms.'
query: ContrastADR_CL | where rule_s == "method-tampering"
tactics:
- Impact
queryPeriod: 5m
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6df2cdb0-1a3d-4c29-86f4-d5e3c93508ea')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6df2cdb0-1a3d-4c29-86f4-d5e3c93508ea')]",
      "properties": {
        "alertRuleTemplateName": "6df2cdb0-1a3d-4c29-86f4-d5e3c93508ea",
        "customDetails": null,
        "description": "'Method Tampering (aka verb tampering or HTTP method tampering) is an attack where an attacker manipulates the HTTP method used in a request to a web application. Providing unexpected HTTP methods can sometimes bypass authentication, authorization or other security mechanisms.'\n",
        "displayName": "SQL Injection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "uiUrl_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR__HTTP_Method_Tampering.yaml",
        "query": "ContrastADR_CL | where rule_s == \"method-tampering\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}