this rule does not indicate that a sql injection attack occurred, only that the `sqlmap` tool was used. security scans and tests may result in these errors. if the source is not an authorized security tester, this is generally suspicious or malicious activity.

apm
elastic

Techniques

Sample rules

Web Application Suspicious Activity: sqlmap User Agent

source: elastic
technicques:

Description

This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.

Detection logic

user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"