Web Application Suspicious Activity: sqlmap User Agent

This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.

Rule type: query

Rule indices:

• apm--transaction
• traces-apm*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

• http://sqlmap.org/

Tags:

• Elastic
• APM

Version: 101

Rule authors:

• Elastic

Rule license: Elastic License v2

user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"