Refine SQL injection rule and log sources

Removed network traffic log sources and adjusted query conditions for SQL injection detection.

Author: Aegrah

rules_building_block/persistence_web_server_potential_sql_injection.toml

@@ -1,7 +1,7 @@
 [metadata]
 bypass_bbr_timing = true
 creation_date = "2025/11/19"
-integration = ["nginx", "apache", "apache_tomcat", "iis", "network_traffic"]
+integration = ["nginx", "apache", "apache_tomcat", "iis"]
 maturity = "production"
 updated_date = "2025/11/19"
 
@@ -15,8 +15,6 @@ databases or extract sensitive information.
 """
 from = "now-9m"
 index = [
-        "logs-network_traffic.http-*",
-        "logs-network_traffic.tls-*",
         "logs-nginx.access-*",
         "logs-apache.access-*",
         "logs-apache_tomcat.access-*",
@@ -31,14 +29,12 @@ rule_id = "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2"
 severity = "low"
 tags = [
     "Domain: Web",
-    "Domain: Network",
     "Use Case: Threat Detection",
     "Tactic: Reconnaissance",
     "Tactic: Credential Access",
     "Tactic: Persistence",
     "Tactic: Execution",
     "Tactic: Command and Control",
-    "Data Source: Network Traffic",
     "Data Source: Nginx",
     "Data Source: Apache",
     "Data Source: Apache Tomcat",
@@ -48,27 +44,15 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-any where (
-    url.original like~ (
-        "*%20order%20by%*", "*dbms_pipe.receive_message%28chr%*", "*waitfor%20delay%20*", "*%28select%20*from%20pg_sleep%285*", "*%28select%28sleep%285*", "*%3bselect%20pg_sleep%285*",
-        "*select%20concat%28concat*", "*xp_cmdshell*", "*select*case*when*", "*and*extractvalue*select*", "*from*information_schema.tables*", "*boolean*mode*having*", "*extractvalue*concat*",
-        "*case*when*sleep*", "*select*sleep*", "*dbms_lock.sleep*", "*and*sleep*", "*like*sleep*", "*csleep*", "*pgsleep*", "*char*char*char*", "*union*select*", "*concat*select*",
-        "*select*else*drop*", "*having*like*", "*case*else*end*", "*if*sleep*", "*where*and*select*", "*or*1=1*", """*"1"="1"*""", "*or*'a'='a*", "*into*outfile*", "*pga_sleep*",
-        "*into%20outfile*", "*into*dumpfile*", "*load_file%28*", "*load%5ffile%28*", "*cast%28*", "*convert%28*", "*cast%28%*", "*convert%28%*", "*@@version*", "*@@version_comment*",
-        "*version%28*", "*user%28*", "*current_user%28*", "*database%28*", "*schema_name%28*", "*information_schema.columns*", "*information_schema.columns*", "*table_schema*",
-        "*column_name*", "*dbms_pipe*", "*dbms_lock%2e*sleep*", "*dbms_lock.sleep*", "*sp_executesql*", "*sp_executesql*", "*load%20data*", "*information_schema*",  "*pg_slp*",
-        "*information_schema.tables*"
-    ) or
-    url.full like~ (
-        "*%20order%20by%*", "*dbms_pipe.receive_message%28chr%*", "*waitfor%20delay%20*", "*%28select%20*from%20pg_sleep%285*", "*%28select%28sleep%285*", "*%3bselect%20pg_sleep%285*",
-        "*select%20concat%28concat*", "*xp_cmdshell*", "*select*case*when*", "*and*extractvalue*select*", "*from*information_schema.tables*", "*boolean*mode*having*", "*extractvalue*concat*",
-        "*case*when*sleep*", "*select*sleep*", "*dbms_lock.sleep*", "*and*sleep*", "*like*sleep*", "*csleep*", "*pgsleep*", "*char*char*char*", "*union*select*", "*concat*select*",
-        "*select*else*drop*", "*having*like*", "*case*else*end*", "*if*sleep*", "*where*and*select*", "*or*1=1*", """*"1"="1"*""", "*or*'a'='a*", "*into*outfile*", "*pga_sleep*",
-        "*into%20outfile*", "*into*dumpfile*", "*load_file%28*", "*load%5ffile%28*", "*cast%28*", "*convert%28*", "*cast%28%*", "*convert%28%*", "*@@version*", "*@@version_comment*",
-        "*version%28*", "*user%28*", "*current_user%28*", "*database%28*", "*schema_name%28*", "*information_schema.columns*", "*information_schema.columns*", "*table_schema*",
-        "*column_name*", "*dbms_pipe*", "*dbms_lock%2e*sleep*", "*dbms_lock.sleep*", "*sp_executesql*", "*sp_executesql*", "*load%20data*", "*information_schema*",  "*pg_slp*",
-        "*information_schema.tables*"
-    )
+any where url.original like~ (
+  "*%20order%20by%*", "*dbms_pipe.receive_message%28chr%*", "*waitfor%20delay%20*", "*%28select%20*from%20pg_sleep%285*", "*%28select%28sleep%285*", "*%3bselect%20pg_sleep%285*",
+  "*select%20concat%28concat*", "*xp_cmdshell*", "*select*case*when*", "*and*extractvalue*select*", "*from*information_schema.tables*", "*boolean*mode*having*", "*extractvalue*concat*",
+  "*case*when*sleep*", "*select*sleep*", "*dbms_lock.sleep*", "*and*sleep*", "*like*sleep*", "*csleep*", "*pgsleep*", "*char*char*char*", "*union*select*", "*concat*select*",
+  "*select*else*drop*", "*having*like*", "*case*else*end*", "*if*sleep*", "*where*and*select*", "*or*1=1*", "*\"1\"=\"1\"*", "*or*'a'='a*", "*into*outfile*", "*pga_sleep*",
+  "*into%20outfile*", "*into*dumpfile*", "*load_file%28*", "*load%5ffile%28*", "*cast%28*", "*convert%28*", "*cast%28%*", "*convert%28%*", "*@@version*", "*@@version_comment*",
+  "*version%28*", "*user%28*", "*current_user%28*", "*database%28*", "*schema_name%28*", "*information_schema.columns*", "*information_schema.columns*", "*table_schema*",
+  "*column_name*", "*dbms_pipe*", "*dbms_lock%2e*sleep*", "*dbms_lock.sleep*", "*sp_executesql*", "*sp_executesql*", "*load%20data*", "*information_schema*",  "*pg_slp*",
+  "*information_schema.tables*"
 )
 '''