Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SQL Injection

Back
Idbfcf1f5e-d465-4c12-91c0-a686c71ae04b
RulenameSQL Injection
DescriptionXXE is a flaw in XML parsers where attackers can cause the parser to read local or remote resources as part of the document. Attackers often abuse this functionality to access other sensitive system information.
SeverityMedium
TacticsImpact
TechniquesT1516
Required data connectorsContrastADR
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR__XML_External_Entity_Injection.yaml
Version1.0.0
Arm templatebfcf1f5e-d465-4c12-91c0-a686c71ae04b.json
Deploy To Azure
ContrastADR_CL | where rule_s == "xxe"
description: |
    'XXE is a flaw in XML parsers where attackers can cause the parser to read local or remote resources as part of the document. Attackers often abuse this functionality to access other sensitive system information.'
tactics:
- Impact
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR__XML_External_Entity_Injection.yaml
query: ContrastADR_CL | where rule_s == "xxe"
version: 1.0.0
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: uiUrl_s
    identifier: Url
id: bfcf1f5e-d465-4c12-91c0-a686c71ae04b
kind: Scheduled
relevantTechniques:
- T1516
severity: Medium
triggerThreshold: 0
triggerOperator: gt
name: SQL Injection
queryFrequency: 5m
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bfcf1f5e-d465-4c12-91c0-a686c71ae04b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bfcf1f5e-d465-4c12-91c0-a686c71ae04b')]",
      "properties": {
        "alertRuleTemplateName": "bfcf1f5e-d465-4c12-91c0-a686c71ae04b",
        "customDetails": null,
        "description": "'XXE is a flaw in XML parsers where attackers can cause the parser to read local or remote resources as part of the document. Attackers often abuse this functionality to access other sensitive system information.'\n",
        "displayName": "SQL Injection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "uiUrl_s",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR__XML_External_Entity_Injection.yaml",
        "query": "ContrastADR_CL | where rule_s == \"xxe\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": null,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}