text code block:`mcp_server` method=query direction=inbound | eval dest=host | eval query_lower=lower('params.query') | eval suspicious_query='params.query' | eval is_priv_escalation=if(like(query_lower, "%update%users%role%admin%") OR like(query_lower, "%grant%admin%") OR like(query_lower, "%grant%superuser%"), 1, 0) | eval is_credential_theft=if(like(query_lower, "%password%") OR like(query_lower, "%credential%") OR like(query_lower, "%api_key%") OR like(query_lower, "%secret%"), 1, 0) | eval is_recon=if(like(query_lower, "%information_schema%") OR like(query_lower, "%pg_catalog%") OR like(query_lower, "%pg_tables%") OR like(query_lower, "%pg_user%"), 1, 0) | where is_priv_escalation=1 OR is_credential_theft=1 OR is_recon=1 | eval attack_type=case( is_priv_escalation=1, "Privilege Escalation", is_credential_theft=1, "Credential Theft", is_recon=1, "Schema Reconnaissance", 1=1, "Unknown") | stats count min(_time) as firstTime max(_time) as lastTime values(suspicious_query) as suspicious_queries values(attack_type) as attack_types dc(attack_type) as attack_diversity by dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table dest firstTime lastTime count suspicious_queries attack_types attack_diversity | `mcp_postgres_suspicious_query_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).