Quick Start Security for Azure Database PostgreSQL
Thank you!
We got your information.
Coralogix Extension For Azure Database PostgreSQL Includes:
Alerts - 5
Stay on top of Azure Database PostgreSQL key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Multiple Failed Connection Attempts From an IP Address
This alert triggers when there are more than 5 failed connection attempts to the Azure PostgreSQL database in a 10-minutes interval from an IP address. Impact Multiple failed connection/login attempts in a short time frame might indicate a brute-force attack against the relevant account. Mitigation Check if the user/s are aware of the connection attempts and that these attempts are legit. If not, investigate this activity further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0006 MITRE Technique: T1110
Excessive ALTER Statement Executed
This alert detects the use of SQL alter statement. The alter statement is used to add, delete, or modify columns in an existing table. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your Azure PostgreSQL database and has the necessary permissions they can alter the database tables to modify, delete or add the existing records. They can thus escalate their privileges and maintain persistence in the network or disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001
Excessive DROP Statement Executed
This alert detects the use of SQL drop statement. A drop statement is used to either delete an existing table in a database or delete a database itself. This alert can trigger potential false positives. Please consider fine-tuning it according to your specific machines or user groups. Impact After an adversary has access to your Azure PostgreSQL database and has the necessary permissions, it can insert new records in highly sensitive database tables. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001
Multiple 'Error' Log Type Seen From an IP Address
This alert triggers when more than 3 entries for the log type 'Error' are logged in a 10-minute interval. Impact Multiple entries for log type 'Error' could be an indication of malicious activity happening on the Azure PostgreSQL database. Mitigation Check with the user to validate if the action was legitimate and that they are aware of it. If not, investigate further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. MITRE Tactic: TA0006 MITRE Technique: T1110
Excessive DELETE Statement Executed
This alert detects the excessive use of the SQL delete statement in a specific time interval. The delete statement is used to delete existing records in a table. A user can either delete some records or all the records in a table. Impact After an adversary has access to your Azure PostgreSQL database and has the necessary permissions, it can delete database tables and records in order to disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. Additionally, administrators can consider the following recommendations to better secure PostgreSQL: 1. Require all PostgreSQL accounts to have a strong password. 2. Do not run PostgreSQL with root-level privileges. 3. If the PostgreSQL database is only used by local applications, remote access to the server should be disabled. 4. The PostgreSQL instance should be configured to only allow access to permitted hosts. 5. Check database user accounts for excessive privileges to delete database tables and records. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001
Integration
Learn more about Coralogix's out-of-the-box integration with Azure Database PostgreSQL in our documentation.