This is a report on what I have done training at the SOC Analyst Fundamentals course on letsdefend.io. Letsdefend.io is a good platform for blue team training.

Incident ID: Event ID: 165 - [SOC165 - Possible SQL Injection Payload Detected]

Date and Time of Detection: Feb 25, 2022, 11:34 AM

Incident Severity: High

Incident Category: Web Attack

The SOC detected a security event Event ID: 165 - [SOC165 - Possible SQL Injection Payload Detected] indicating the potential presence of a SQL injection payload. This report outlines the analysis, investigation, and mitigation steps taken.

Upon analysis of the SIEM simulation, Event ID: SOC165 triggered an alert due to the detection of a possible SQL injection payload on the victim's IP address (172.16.17.18) WebServer1001. The attack was unsuccessful due to a server error. The alert raised concerns about a potential security incident, prompting further investigation.

SQL Injection is a type of attack the attacker uses malicious code in SQL Statements via a search bar or web input to retrieve unauthorised access of information from database.

Reviewed the SIEM alert dashboard for relevant details.

Examined the details of Event ID: SOC165 to understand the characteristics of the detected SQL injection payload.

URL Decoding

This shows that the attacker leveraged OR 1 = 1 it is a classic condition in SQL injection attempts

Gathered information on the affected system and user accounts involved.

WebServer1001 logs for signs of SQL injection attempts.

The malicious request URL from 167.99.169.17 was not successful because the log management showed HTTP response 500 means it countered the server error.

The incident was successfully mitigated through prompt detection, analysis, and response. Continuous monitoring and proactive security measures are essential to prevent SQL injection attacks and protect critical web applications.

We put the Requested URL into URL Decoding and find the payload sent by the attacker. After URL Decoding, it has been confirmed that it is SQL Injection. When we filtered by source address from the Log Management page, we saw other requests made. When the requests were examined, we saw that all of them were related to the SQL Injection vulnerability.

When the Response size of all requests is examined, it is seen that they are all the same and the response status is 500. The SQL Injection attack is unsuccessful, as there will be different response sizes and 200 response status, it seems that the attack was not successful.