Goal

Detect HTTP requests whose parameters include time-delay SQL constructs, including when responses succeed.

Strategy

This rule monitors OCSF HTTP query strings for database-specific delay primitives and groups activity by @ocsf.src_endpoint.ip.

Triage and response

• Identify the application and database behind the requests and check logs for slow queries or errors.
• If blind SQL injection is plausible, follow your SQL injection response process.