This detection rule aims to identify attempts by adversaries to exploit vulnerabilities in internal SQL databases by leveraging an external IP address. The focus is on activities where an outside source initiates connections to internal SQL services that typically handle database transactions. The rule is particularly relevant in detecting exploitation attempts that may arise from APT groups known for targeting claims databases, such as APT28, APT29/Nobelium, and APT41. It looks for connections on common SQL ports: 1433 (Microsoft SQL Server), 1521 (Oracle DB), 3306 (MySQL), and 5432 (PostgreSQL). The logic employs Splunk commands to filter and analyze web application firewall logs to catch unauthorized access attempts from external sources to internal databases, improving security visibility around SQL services. The implementation is backed by techniques under the MITRE ATT&CK framework, especially the T1190 technique focusing on exploiting public-facing applications. This comprehensive approach helps organizations mitigate risks associated with SQL injection and unauthorized data access from malicious actors.