This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.
Rule type: query
Risk score: 47
Runs every: 5m
Maximum alerts per execution: 100
Rule license: Elastic License v2