There is actually a sql injection rule already in place within LEM. Basically the rule analyzes web traffic from firewalls, ids/ips, and other devices looking for those injection vectors within the list. Let me know if you need more info on this.
Awesome, I swear I looked, not sure how I missed that. Thanks so much!