Elastic Security Detection Rules

Web Server Potential SQL Injection Request

Last updated 16 days ago on 2025-11-19
Created 16 days ago on 2025-11-19

About

This rule detects potential SQL injection attempts in web server requests by identifying common SQL injection patterns in URLs. Such activity may indicate reconnaissance or exploitation attempts by attackers trying to manipulate backend databases or extract sensitive information.
Tags
Domain: WebUse Case: Threat DetectionTactic: ReconnaissanceTactic: Credential AccessTactic: PersistenceTactic: ExecutionTactic: Command and ControlData Source: NginxData Source: ApacheData Source: Apache TomcatData Source: IISRule Type: BBRLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

Server Software Component (T1505)(opens in a new tab or window)

Execution (TA0002)(opens in a new tab or window)

Command and Scripting Interpreter (T1059)(opens in a new tab or window)

Command and Control (TA0011)(opens in a new tab or window)

Application Layer Protocol (T1071)(opens in a new tab or window)

Reconnaissance (TA0043)(opens in a new tab or window)

Active Scanning (T1595)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-nginx.access-*logs-apache.access-*logs-apache_tomcat.access-*logs-iis.access-*
Related Integrations

nginx(opens in a new tab or window)

apache(opens in a new tab or window)

apache_tomcat(opens in a new tab or window)

iis(opens in a new tab or window)

Query
any where url.original like~ (
  "*%20order%20by%*", "*dbms_pipe.receive_message%28chr%*", "*waitfor%20delay%20*", "*%28select%20*from%20pg_sleep%285*", "*%28select%28sleep%285*", "*%3bselect%20pg_sleep%285*",
  "*select%20concat%28concat*", "*xp_cmdshell*", "*select*case*when*", "*and*extractvalue*select*", "*from*information_schema.tables*", "*boolean*mode*having*", "*extractvalue*concat*",
  "*case*when*sleep*", "*select*sleep*", "*dbms_lock.sleep*", "*and*sleep*", "*like*sleep*", "*csleep*", "*pgsleep*", "*char*char*char*", "*union*select*", "*concat*select*",
  "*select*else*drop*", "*having*like*", "*case*else*end*", "*if*sleep*", "*where*and*select*", "*or*1=1*", "*\"1\"=\"1\"*", "*or*'a'='a*", "*into*outfile*", "*pga_sleep*",
  "*into%20outfile*", "*into*dumpfile*", "*load_file%28*", "*load%5ffile%28*", "*cast%28*", "*convert%28*", "*cast%28%*", "*convert%28%*", "*@@version*", "*@@version_comment*",
  "*version%28*", "*user%28*", "*current_user%28*", "*database%28*", "*schema_name%28*", "*information_schema.columns*", "*information_schema.columns*", "*table_schema*",
  "*column_name*", "*dbms_pipe*", "*dbms_lock%2e*sleep*", "*dbms_lock.sleep*", "*sp_executesql*", "*sp_executesql*", "*load%20data*", "*information_schema*",  "*pg_slp*",
  "*information_schema.tables*"
)

Install detection rules in Elastic Security

Detect Web Server Potential SQL Injection Request in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).