Check out the rules that came with LEM, some of them (especially the ones in the Security section) are oriented towards detecting APTs, for instance SQL injection.
I would like to hear opinion on this from advanced users as well, they might have something more important to share on this matter.