ContrastADR_CL | where rule_s == "xxe"
description: |
'XXE is a flaw in XML parsers where attackers can cause the parser to read local or remote resources as part of the document. Attackers often abuse this functionality to access other sensitive system information.'
tactics:
- Impact
requiredDataConnectors:
- connectorId: ContrastADR
dataTypes:
- ContrastADR_CL
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR__XML_External_Entity_Injection.yaml
query: ContrastADR_CL | where rule_s == "xxe"
version: 1.0.0
entityMappings:
- entityType: URL
fieldMappings:
- columnName: uiUrl_s
identifier: Url
id: bfcf1f5e-d465-4c12-91c0-a686c71ae04b
kind: Scheduled
relevantTechniques:
- T1516
severity: Medium
triggerThreshold: 0
triggerOperator: gt
name: SQL Injection
queryFrequency: 5m
status: Available
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bfcf1f5e-d465-4c12-91c0-a686c71ae04b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bfcf1f5e-d465-4c12-91c0-a686c71ae04b')]",
"properties": {
"alertRuleTemplateName": "bfcf1f5e-d465-4c12-91c0-a686c71ae04b",
"customDetails": null,
"description": "'XXE is a flaw in XML parsers where attackers can cause the parser to read local or remote resources as part of the document. Attackers often abuse this functionality to access other sensitive system information.'\n",
"displayName": "SQL Injection",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "uiUrl_s",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR__XML_External_Entity_Injection.yaml",
"query": "ContrastADR_CL | where rule_s == \"xxe\"",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": null,
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}