Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Azure SQL

Azure SQL
Azure SQL icon

Coralogix Extension For Azure SQL Includes:

Alerts - 11

Stay on top of Azure SQL key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

An attempt has been made to delete a locked server

This alert detects when a user has tried to delete a server that has been locked from deletion. Locks are an Azure feature to prevent the accidental deletion of resources. Impact An attempt to delete a server should be inspected and validated as legitimate as it could mean that an attacker is trying to delete legitimate resources. Mitigation Validate that the deletion attempt was authorized and intended, revert and further investigate if not. If this alert is followed by a successful deletion alert, pay close attention to the performing user and quickly validate it as it might mean an attacker has managed to disable or circumvent the lock. MITRE Tactic: TA0040 MITRE Technique: T1531

An attempt has been made to delete a locked database

This alert detects when a user has tried to delete a database that has been locked from deletion. Locks are an Azure feature to prevent the accidental deletion of resources. Impact An attempt to delete a database should be inspected and validated as legitimate as it could mean that an attacker is trying to delete legitimate resources. Mitigation Validate that the deletion attempt was authorized and intended, revert and further investigate if not. If this alert is followed by a successful deletion alert, pay close attention to the performing user and quickly validate it as it might mean an attacker has managed to disable or circumvent the lock. MITRE Tactic: TA0040 MITRE Technique: T1531

An SQL security alert policy has been deleted

This alert detects when an Azure SQL security alert policy was deleted. Impact An adversary may delete a defined security policy in order to remove security alerts such as SQL Injection or brute force attempts. Removing these alerts can expose the database to attacks. Mitigation Validate that the action was authorized and revert changes if not. Ensure the user who deleted the policy has the correct privileges to perform the operation. MITRE Tactic: TA0005 MITRE Technique: T1562

An SQL security alert policy has been created or updated

This alert detects when an Azure SQL security alert policy was created or updated. Impact An adversary may tamper with the defined security policy in order to disable security alerts such as SQL Injection or brute force attempts. Disabling these alerts can expose the database to attacks. Mitigation Validate that the action was authorized and revert changes if not. Ensure the user who updated the policy has the correct privileges to perform the operation. MITRE Tactic: TA0005 MITRE Technique: T1562

An SQL server firewall rule was created or updated

This alert detects when an Azure SQL firewall rule was created or updated. Impact Custom firewall rules can be manipulated by attackers to have an entry point into various services in Azure. Mitigation Validate that the action was authorized and revert changes if not. Ensure the user who created the rule has the correct privileges to create or modify a firewall rule. MITRE Tactic: TA0005 MITRE Technique: T1562

An SQL server firewall rule was deleted

This alert detects when an Azure SQL firewall rule was deleted. Impact An adversary may delete a firewall rule in order to gain access to the an SQL server and compromise it. Mitigation Validate that the action was authorized and revert changes if not. Ensure the user who created the rule has the correct privileges to create or modify a firewall rule. MITRE Tactic: TA0005 MITRE Technique: T1562

An SQL server was deleted

This alert detects when an Azure SQL server was deleted. Impact If an adversary deletes an SQL server, they could potentially disrupt operations and cause data loss. Depending on the data stored on the server, this could lead to a data breach, financial loss, and reputational damage. Mitigation Validate that the action was authorized and revert changes if not. Give special attention to multiple deletion events that can indicate intended malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578

An SQL server was created or updated

This alert detects when an Azure SQL server was created or updated. Impact If an adversary creates or modifies an SQL server, they could potentially gain access to sensitive data. They could use the instance to run malicious code, exfiltrate data, or use the instance to launch further attacks on other systems. This could lead to data breaches, financial loss, and reputational damage. Mitigation Validate that the change was authorized and intended, revert and further investigate if not. Give special attention to multiple creation events or systemic changes of different accounts that can indicate malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578

An SQL database has been deleted

This alert detects when an Azure SQL database was deleted. Impact If an adversary deletes an SQL database, they could potentially disrupt operations and cause data loss. Depending on the data stored on the database, this could lead to a data breach, financial loss, and reputational damage. Mitigation Validate that the action was authorized and revert changes if not Give special attention to multiple deletion events that can indicate intended malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578

An SQL database was created or updated

This alert detects when an Azure SQL database was created or updated. Impact If an adversary creates or modifies an SQL database, they could potentially gain access to sensitive data. They could use the instance to run malicious code, exfiltrate data, or use the instance to launch further attacks on other systems. This could lead to data breaches, financial loss, and reputational damage. Mitigation Validate that the action was authorized and revert changes if not. Give special attention to multiple deletion events that can indicate intended malicious activity. MITRE Tactic: TA0005 MITRE Technique: T1578

No logs from Azure SQL

This rule detects if there are no logs in the last 12 hours for Azure SQL in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Integration

Learn more about Coralogix's out-of-the-box integration with Azure SQL in our documentation.

Read More
Schedule Demo