SQL Injection

ContrastADR_CL | where rule_s == "jndi-injection"

queryPeriod: 5m
kind: Scheduled
version: 1.0.0
name: SQL Injection
relevantTechniques:
- T1516
severity: Medium
description: |
    'JNDI injection is a malicious technique where attackers exploit vulnerabilities in web applications to influence the server used in a JNDI lookup. Where an attacker can influence the server the JNDI Lookup is sent to, it is possible to get the server to connect to a malicious JNDI Server which returns a malicious class which when loaded will give the attacker Remote Code Execution on the impacted server. Also in the case of infamous log4shell vulnerability, as well as RCE, it is possible to exfiltrate data fro the impacted server.'
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
query: ContrastADR_CL | where rule_s == "jndi-injection"
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_JNDI_Injection.yaml
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: uiUrl_s
  entityType: URL
triggerThreshold: 0
id: 6e4ff551-ca5b-4ad3-a0e9-5271abc6e602
triggerOperator: gt
queryFrequency: 5m
status: Available

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e4ff551-ca5b-4ad3-a0e9-5271abc6e602')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e4ff551-ca5b-4ad3-a0e9-5271abc6e602')]",
      "properties": {
        "alertRuleTemplateName": "6e4ff551-ca5b-4ad3-a0e9-5271abc6e602",
        "customDetails": null,
        "description": "'JNDI injection is a malicious technique where attackers exploit vulnerabilities in web applications to influence the server used in a JNDI lookup. Where an attacker can influence the server the JNDI Lookup is sent to, it is possible to get the server to connect to a malicious JNDI Server which returns a malicious class which when loaded will give the attacker Remote Code Execution on the impacted server. Also in the case of infamous log4shell vulnerability, as well as RCE, it is possible to exfiltrate data fro the impacted server.'\n",
        "displayName": "SQL Injection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "uiUrl_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_JNDI_Injection.yaml",
        "query": "ContrastADR_CL | where rule_s == \"jndi-injection\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}