Suspicious SQL backup activity
Last updated on:
In this page
About the rule
Rule Type
Advanced
Rule Description
This rule detects suspicious SQL backups which follows the pattern - sequence of logon failures followed by a successful logon to the network and SQL server, and then SQL database is backed up.
Severity
Critical
Rule Requirement
Criteria
Action1: actionname = "null" | timewindow 10m | groupby HOSTNAME | groupby USERNAME having COUNT > 5 Action2: actionname = "Successful logon" AND USERNAME = Action1.USERNAME AND HOSTNAME = Action1.HOSTNAME Action3: actionname = "mssql_successful_logon" AND HOSTNAME = Action1.HOSTNAME Action4: actionname = "null" AND USERNAME = Action3.USERNAME AND HOSTNAME = Action1.HOSTNAME sequence:Action1 followedby Action2 within 2m followedby Action3 within 30m followedby Action4 within 30m select Action2.HOSTNAME,Action2.MESSAGE,Action2.USERNAME,Action2.DOMAIN,Action2.REMOTEHOST,Action2.REMOTEIP,Action2.LOGONTYPE,Action2.PROCESSNAME,Action3.HOSTNAME,Action3.INSTANCENAME,Action3.USERNAME,Action3.DATABASENAME,Action3.SCHEMANAME,Action3.REMOTEHOST,Action3.OBJECTNAME,
Detection
Execution Mode
realtime
Log Sources
Miscellaneous
