Elastic
Start free trial
Loading

Web Application Suspicious Activity: sqlmap User Agent

Elastic Stack Serverless Security

This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.

Rule type: query

Rule indices:

  • apm--transaction
  • traces-apm*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • APM

Version: 101

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"