This alert detects when a user has tried to delete a server that has been locked from deletion. Locks are an Azure feature to prevent the accidental deletion of resources. Impact An attempt to delete a server should be inspected and validated as legitimate as it could mean that an attacker is trying to delete legitimate resources. Mitigation Validate that the deletion attempt was authorized and intended, revert and further investigate if not. If this alert is followed by a successful deletion alert, pay close attention to the performing user and quickly validate it as it might mean an attacker has managed to disable or circumvent the lock. MITRE Tactic: TA0040 MITRE Technique: T1531

This alert detects when a user has tried to delete a database that has been locked from deletion. Locks are an Azure feature to prevent the accidental deletion of resources. Impact An attempt to delete a database should be inspected and validated as legitimate as it could mean that an attacker is trying to delete legitimate resources. Mitigation Validate that the deletion attempt was authorized and intended, revert and further investigate if not. If this alert is followed by a successful deletion alert, pay close attention to the performing user and quickly validate it as it might mean an attacker has managed to disable or circumvent the lock. MITRE Tactic: TA0040 MITRE Technique: T1531

This alert detects when an Azure SQL security alert policy was deleted. Impact An adversary may delete a defined security policy in order to remove security alerts such as SQL Injection or brute force attempts. Removing these alerts can expose the database to attacks. Mitigation Validate that the action was authorized and revert changes if not. Ensure the user who deleted the policy has the correct privileges to perform the operation. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert detects when an Azure SQL security alert policy was created or updated. Impact An adversary may tamper with the defined security policy in order to disable security alerts such as SQL Injection or brute force attempts. Disabling these alerts can expose the database to attacks. Mitigation Validate that the action was authorized and revert changes if not. Ensure the user who updated the policy has the correct privileges to perform the operation. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert detects when an Azure SQL firewall rule was created or updated. Impact Custom firewall rules can be manipulated by attackers to have an entry point into various services in Azure. Mitigation Validate that the action was authorized and revert changes if not. Ensure the user who created the rule has the correct privileges to create or modify a firewall rule. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert detects when an Azure SQL firewall rule was deleted. Impact An adversary may delete a firewall rule in order to gain access to the an SQL server and compromise it. Mitigation Validate that the action was authorized and revert changes if not. Ensure the user who created the rule has the correct privileges to create or modify a firewall rule. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert detects when an Azure SQL server was deleted. Impact If an adversary deletes an SQL server, they could potentially disrupt operations and cause data loss. Depending on the data stored on the server, this could lead to a data breach, financial loss, and reputational damage. Mitigation Validate that the action was authorized and revert changes if not. Give special attention to multiple deletion events that can indicate intended malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert detects when an Azure SQL server was created or updated. Impact If an adversary creates or modifies an SQL server, they could potentially gain access to sensitive data. They could use the instance to run malicious code, exfiltrate data, or use the instance to launch further attacks on other systems. This could lead to data breaches, financial loss, and reputational damage. Mitigation Validate that the change was authorized and intended, revert and further investigate if not. Give special attention to multiple creation events or systemic changes of different accounts that can indicate malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert detects when an Azure SQL database was deleted. Impact If an adversary deletes an SQL database, they could potentially disrupt operations and cause data loss. Depending on the data stored on the database, this could lead to a data breach, financial loss, and reputational damage. Mitigation Validate that the action was authorized and revert changes if not Give special attention to multiple deletion events that can indicate intended malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert detects when an Azure SQL database was created or updated. Impact If an adversary creates or modifies an SQL database, they could potentially gain access to sensitive data. They could use the instance to run malicious code, exfiltrate data, or use the instance to launch further attacks on other systems. This could lead to data breaches, financial loss, and reputational damage. Mitigation Validate that the action was authorized and revert changes if not. Give special attention to multiple deletion events that can indicate intended malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578