Tomcat - Sql injection patterns

Back


Id	ce84741e-4875-11ec-81d3-0242ac130003
Rulename	Tomcat - Sql injection patterns
Description	Detects possible sql injection patterns
Severity	High
Tactics	InitialAccess
Techniques	T1190
Required data connectors	CustomLogsAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatSQLiPattern.yaml
Version	1.0.2
Arm template	ce84741e-4875-11ec-81d3-0242ac130003.json

KQL

let commands = dynamic(["1/*'*/", "1'||'asd'||'", "'1'='1", "1' or '1'='1", "1 or 1=1", "1=1", "1/*!1111'*/", "'or''='"]);
TomcatEvent
| where UrlOriginal has_any (commands)
| extend UrlCustomEntity = UrlOriginal

YAML

description: |
    'Detects possible sql injection patterns'
version: 1.0.2
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatSQLiPattern.yaml
triggerOperator: gt
status: Available
id: ce84741e-4875-11ec-81d3-0242ac130003
name: Tomcat - Sql injection patterns
queryFrequency: 1h
severity: High
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: UrlCustomEntity
    identifier: Url
  entityType: URL
relevantTechniques:
- T1190
query: |
  let commands = dynamic(["1/*'*/", "1'||'asd'||'", "'1'='1", "1' or '1'='1", "1 or 1=1", "1=1", "1/*!1111'*/", "'or''='"]);
  TomcatEvent
  | where UrlOriginal has_any (commands)
  | extend UrlCustomEntity = UrlOriginal  
requiredDataConnectors:
- datatypes:
  - Tomcat_CL
  connectorId: CustomLogsAma

ARM