Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

OracleDBAudit - SQL injection patterns

Back
Idab352f0d-7c55-4ab2-a22e-b1c2d995e193
RulenameOracleDBAudit - SQL injection patterns
DescriptionDetects common known SQL injection patterns used in automated scripts.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
Required data connectorsOracleDatabaseAudit
SyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditSQLInjectionPatterns.yaml
Version1.0.1
Arm templateab352f0d-7c55-4ab2-a22e-b1c2d995e193.json
Deploy To Azure
OracleDatabaseAuditEvent
| where isnotempty(DstUserName)
| where Action has_any ("admin' --" ,"admin' #", "admin'/*", "0=1", "1=0", "1=1", "1=2", "' or 1=1--", "' or 1=1#", "' or 1=1/*", "') or '1'='1--", "') or ('1'='1--")
| project SrcIpAddr, DstUserName, Action
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr
requiredDataConnectors:
- connectorId: OracleDatabaseAudit
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  datatypes:
  - Syslog
status: Available
relevantTechniques:
- T1190
queryFrequency: 1h
id: ab352f0d-7c55-4ab2-a22e-b1c2d995e193
name: OracleDBAudit - SQL injection patterns
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditSQLInjectionPatterns.yaml
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
description: |
    'Detects common known SQL injection patterns used in automated scripts.'
triggerThreshold: 0
tactics:
- InitialAccess
query: |
  OracleDatabaseAuditEvent
  | where isnotempty(DstUserName)
  | where Action has_any ("admin' --" ,"admin' #", "admin'/*", "0=1", "1=0", "1=1", "1=2", "' or 1=1--", "' or 1=1#", "' or 1=1/*", "') or '1'='1--", "') or ('1'='1--")
  | project SrcIpAddr, DstUserName, Action
  | extend AccountCustomEntity = DstUserName
  | extend IPCustomEntity = SrcIpAddr  
kind: Scheduled
triggerOperator: gt
version: 1.0.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ab352f0d-7c55-4ab2-a22e-b1c2d995e193')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ab352f0d-7c55-4ab2-a22e-b1c2d995e193')]",
      "properties": {
        "alertRuleTemplateName": "ab352f0d-7c55-4ab2-a22e-b1c2d995e193",
        "customDetails": null,
        "description": "'Detects common known SQL injection patterns used in automated scripts.'\n",
        "displayName": "OracleDBAudit - SQL injection patterns",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditSQLInjectionPatterns.yaml",
        "query": "OracleDatabaseAuditEvent\n| where isnotempty(DstUserName)\n| where Action has_any (\"admin' --\" ,\"admin' #\", \"admin'/*\", \"0=1\", \"1=0\", \"1=1\", \"1=2\", \"' or 1=1--\", \"' or 1=1#\", \"' or 1=1/*\", \"') or '1'='1--\", \"') or ('1'='1--\")\n| project SrcIpAddr, DstUserName, Action\n| extend AccountCustomEntity = DstUserName\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}