Investigate SQLi attacks using Splunk

Threat Detection Engineering

• Threat Detection: Detecting a Webserver Attack
• Threat Intelligence for SOC
• Detection Engineering vs Threat Hunting
• Yara 101
• Threat Intelligence Tools – Abuse.ch
• Threat Intelligence Tools – URLScan.io
• Custom detection rule with the MITRE ATT&CK framework in Splunk
• Investigate SQLi attacks using Splunk
• Splunk: Search Processing Language (SPL) Basics
• Practical Threat Hunting using Elastic SIEM: Hunting for Stuxbot
• MITRE Framework
• SOC Tools and Useful Links
• ELASTIC SIEM: Kibana Query Language (KQL) 
• SOC Home LAB: Elastic SIEM Installation
• MISP (Malware Information Sharing Platform)

Views: 46

Sure! Here are a few Splunk queries that can help detect web application attacks:

1. Detecting SQL Injection Attacks:

index=<your_index> sourcetype=<your_sourcetype> | search (request_uri=*' OR referer=*) AND (|inputlookup sql_injection_keywords.csv)

2. Detecting Cross-Site Scripting (XSS) Attacks:

index=<your_index> sourcetype=<your_sourcetype> | search (request_uri=*' OR referer=*) AND (|inputlookup xss_keywords.csv)

3. Detecting Directory Traversal Attacks:

index=<your_index> sourcetype=<your_sourcetype> | search (request_uri=*' OR referer=*) AND (|inputlookup directory_traversal_keywords.csv)

4. Detecting Remote File Inclusion (RFI) Attacks:

index=<your_index> sourcetype=<your_sourcetype> | search (request_uri=*' OR referer=*) AND (|inputlookup rfi_keywords.csv)

5. Detecting Command Injection Attacks:

index=<your_index> sourcetype=<your_sourcetype> | search (request_uri=*' OR referer=*) AND (|inputlookup command_injection_keywords.csv)

Note: Replace <your_index> and <your_sourcetype> with the appropriate values from your Splunk environment. Also, make sure you have the corresponding lookup tables (sql_injection_keywords.csv, xss_keywords.csv, etc.) populated with relevant attack patterns.

You may need to modify the queries based on your log structure and the fields you are interested in monitoring.

Splunk is a powerful data analytics and monitoring platform, primarily used for searching, analyzing, and visualizing machine-generated data. It is not directly related to SQL databases or SQL injection. SQL injection is a security vulnerability that occurs when an attacker injects malicious SQL code into a query, potentially allowing unauthorized access to the underlying database.

However, if you’re looking to leverage Splunk to detect and prevent SQL injection attacks or monitor SQL-related activities, you can create lookup tables to aid in the analysis. Lookup tables in Splunk are used to enrich or augment existing data with additional information or reference data.

Here’s an example of how you can create a lookup table for SQL injection patterns in Splunk:

1. Prepare a CSV file: Create a CSV file containing patterns or keywords commonly associated with SQL injection attacks. Each row should contain a single pattern or keyword.

pattern
--------
' OR 1=1 --
"; DROP TABLE users --
UNION SELECT *

2. Upload the CSV file: Upload the CSV file to Splunk. You can do this through the Splunk Web interface by navigating to “Settings” -> “Lookups” -> “Lookup table files.”
3. Create a lookup definition: Navigate to “Settings” -> “Lookups” -> “Lookup definitions” and create a new lookup definition.

• Name: Specify a name for the lookup table, such as “sql_injection_lookup”.
• Lookup file: Choose the CSV file you uploaded in the previous step.
• Lookup table: Specify a unique name for the lookup table, such as “sql_injection_lookup_table”.
• Lookup fields: Define the field(s) in your events that you want to match against the patterns in the lookup table. For example, if you want to match against the “query” field, specify “query” as the lookup field.

2. Use the lookup table: Once the lookup definition is created, you can use it in your Splunk searches.