Tomcat - Sql injection patterns

Back


Id	ce84741e-4875-11ec-81d3-0242ac130003
Rulename	Tomcat - Sql injection patterns
Description	Detects possible sql injection patterns
Severity	High
Tactics	InitialAccess
Techniques	T1190
Required data connectors	CustomLogsAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatSQLiPattern.yaml
Version	1.0.2
Arm template	ce84741e-4875-11ec-81d3-0242ac130003.json

KQL

let commands = dynamic(["1/*'*/", "1'||'asd'||'", "'1'='1", "1' or '1'='1", "1 or 1=1", "1=1", "1/*!1111'*/", "'or''='"]);
TomcatEvent
| where UrlOriginal has_any (commands)
| extend UrlCustomEntity = UrlOriginal

YAML

query: |
  let commands = dynamic(["1/*'*/", "1'||'asd'||'", "'1'='1", "1' or '1'='1", "1 or 1=1", "1=1", "1/*!1111'*/", "'or''='"]);
  TomcatEvent
  | where UrlOriginal has_any (commands)
  | extend UrlCustomEntity = UrlOriginal  
version: 1.0.2
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatSQLiPattern.yaml
status: Available
description: |
    'Detects possible sql injection patterns'
queryFrequency: 1h
name: Tomcat - Sql injection patterns
kind: Scheduled
triggerThreshold: 0
id: ce84741e-4875-11ec-81d3-0242ac130003
requiredDataConnectors:
- connectorId: CustomLogsAma
  datatypes:
  - Tomcat_CL
severity: High
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
  entityType: URL
relevantTechniques:
- T1190
tactics:
- InitialAccess

ARM