Web Application Suspicious Activity: sqlmap User Agent

Last updated 21 days ago on 2025-01-15

Created 5 years ago on 2020-02-18

About

This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.

Tags: Data Source: APMLanguage: kuery
Severity: medium
Risk Score: 47
False Positive Examples: This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity.
License: Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: apm-*-transaction*traces-apm*
Related Integrations: apm(opens in a new tab or window)
Query

user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"

Install detection rules in Elastic Security

Detect Web Application Suspicious Activity: sqlmap User Agent in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).