Web Application Suspicious Activity: sqlmap User Agentedit

This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.

Rule type: query

Rule indices:

  • apm--transaction
  • traces-apm*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • APM

Version: 7 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.14.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positivesedit

This rule does not indicate that a SQL injection attack occurred, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity.

Rule queryedit

user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"

Rule version historyedit

Version 7 (7.14.0 release)
  • Updated query, changed from:

    user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"
Version 6 (7.12.0 release)
  • Formatting only
Version 5 (7.11.2 release)
  • Formatting only
Version 4 (7.10.0 release)
  • Formatting only
Version 3 (7.9.0 release)
  • Formatting only
Version 2 (7.7.0 release)
  • Formatting only