Suspicious SQL backup activity
Last updated on:
In this page
About the rule
Rule Type
Advanced
Rule Description
This rule detects suspicious SQL backups which follows the pattern - sequence of logon failures followed by a successful logon to the network and SQL server, and then SQL database is backed up.
Severity
Critical
Rule Requirement
Criteria
Action1:
actionname = "Failed logon"
| timewindow 10m
| groupby HOSTNAME
| groupby USERNAME having COUNT >= 5
Action2:
actionname = "Successful logon" AND USERNAME = Action1.USERNAME AND HOSTNAME = Action1.HOSTNAME
Action3:
actionname = "Successful logon" AND HOSTNAME = Action1.HOSTNAME
Action4:
actionname = "SQLServer Database Backup" AND USERNAME = Action3.USERNAME AND HOSTNAME = Action1.HOSTNAME
sequence:Action1 followedby Action2 within 2m followedby Action3 within 30m followedby Action4 within 30m
select Action1.timewindow.HOSTNAME,Action1.timewindow.MESSAGE,Action1.timewindow.USERNAME,Action1.timewindow.DOMAIN,Action1.timewindow.REMOTEHOST,Action1.timewindow.REMOTEIP,Action1.timewindow.LOGONTYPE,Action1.timewindow.PROCESSNAME,Action1.timewindow.FAILUREREASON,Action2.HOSTNAME,Action2.MESSAGE,Action2.USERNAME,Action2.DOMAIN,Action2.REMOTEHOST,Action2.REMOTEIP,Action2.LOGONTYPE,Action2.PROCESSNAME,Action2.CALLER,Action2.LOGON_PROCESS,Action2.MEMBERGROUPSID,Action2.SECURITYID,Action3.HOSTNAME,Action3.INSTANCENAME,Action3.USERNAME,Action3.DATABASENAME,Action3.SCHEMANAME,Action3.REMOTEHOST,Action3.OBJECTNAME,Action4.HOSTNAME,Action4.USERNAME,Action4.OBJECTNAME,Action4.INSTANCENAME,Action4.DATABASENAME,Action4.SCHEMANAME
Detection
Execution Mode
realtime
Log Sources
Miscellaneous
