SQL Injection

ContrastADR_CL | where rule_s == "jndi-injection"

requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
tactics:
- Impact
description: |
    'JNDI injection is a malicious technique where attackers exploit vulnerabilities in web applications to influence the server used in a JNDI lookup. Where an attacker can influence the server the JNDI Lookup is sent to, it is possible to get the server to connect to a malicious JNDI Server which returns a malicious class which when loaded will give the attacker Remote Code Execution on the impacted server. Also in the case of infamous log4shell vulnerability, as well as RCE, it is possible to exfiltrate data fro the impacted server.'
query: ContrastADR_CL | where rule_s == "jndi-injection"
id: 6e4ff551-ca5b-4ad3-a0e9-5271abc6e602
triggerOperator: gt
relevantTechniques:
- T1516
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_JNDI_Injection.yaml
queryFrequency: 5m
severity: Medium
entityMappings:
- fieldMappings:
  - columnName: uiUrl_s
    identifier: Url
  entityType: URL
name: SQL Injection
queryPeriod: 5m
kind: Scheduled
triggerThreshold: 0
version: 1.0.0
status: Available

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e4ff551-ca5b-4ad3-a0e9-5271abc6e602')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e4ff551-ca5b-4ad3-a0e9-5271abc6e602')]",
      "properties": {
        "alertRuleTemplateName": "6e4ff551-ca5b-4ad3-a0e9-5271abc6e602",
        "customDetails": null,
        "description": "'JNDI injection is a malicious technique where attackers exploit vulnerabilities in web applications to influence the server used in a JNDI lookup. Where an attacker can influence the server the JNDI Lookup is sent to, it is possible to get the server to connect to a malicious JNDI Server which returns a malicious class which when loaded will give the attacker Remote Code Execution on the impacted server. Also in the case of infamous log4shell vulnerability, as well as RCE, it is possible to exfiltrate data fro the impacted server.'\n",
        "displayName": "SQL Injection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "uiUrl_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_JNDI_Injection.yaml",
        "query": "ContrastADR_CL | where rule_s == \"jndi-injection\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}