Databases
Overview
Monitoring database logs to detect and respond to unauthorized access, potential data breaches, abnormal queries, and other security-related events.
Sample products
- Imperva SecureSphere
- IBM Guardium
Use Case Categories
| Category | Description |
|---|---|
| Unauthorized Database Access Detection | Proactively monitors database activity to detect and respond to unauthorized attempts to access databases. |
| Database Configuration Changes Monitoring | Monitors changes to database configurations to ensure compliance, minimize vulnerabilities, and maintain stability. |
| Sensitive Data Exposure Alerts | Detects and alerts on potential exposure of sensitive data within databases, safeguarding against data breaches and ensuring regulatory compliance. |
| Anomalous Database Query Patterns | Identifies irregular patterns in database queries to detect potential security threats or unauthorized activities. |
| Failed Database Login Attempts | Monitors and analyzes failed database login attempts to identify potential credential misuse or security breaches. |
Core Use Cases
| Alert Name | Description |
|---|---|
| Anomalous Login Activity Detection | Monitor database login activity for anomalies such as unusual login times, excessive failed login attempts, or logins from unexpected locations. |
| Privileged User Activity Monitoring | Monitor activities performed by privileged database users, such as administrators or DBAs, to detect unauthorized access or suspicious behavior. |
| User Account Permission Changes | Monitor changes to user account permissions and privileges within the database to detect unauthorized elevation of privileges. |
| Database Connection from Blocklisted IPs | Monitor database connections for connections originating from blocklisted or suspicious IP addresses. |
| Suspicious Query Patterns Detection | Monitor database query activity for suspicious patterns or queries indicative of unauthorized access attempts or data exfiltration. |
| Unauthorized Database Configuration Changes | Monitor database configuration files for unauthorized modifications or changes. |
| Suspicious Database Schema Alterations | Monitor database schema for suspicious alterations or modifications that may indicate unauthorized changes. |
| Database Role Permission Changes | Monitor changes to database roles and permissions for unauthorized modifications or elevation of privileges. |
| Abnormal Database Configuration Backup Activity | Monitor database configuration backup logs for anomalies or irregularities in backup processes. |
| Unauthorized Query Activity Detection | Monitor database query logs for unauthorized or suspicious activity. |
| Data Encryption Status Monitoring | |
| Monitor database encryption status to ensure sensitive data is adequately protected. | |
| Suspicious Data Replication Activity | |
| Monitor database replication logs for suspicious or unauthorized replication activity. | |
| Unusual Query Sources | |
| Monitor database access logs for queries originating from unexpected or unauthorized sources. | |
| Query Rate Anomaly Detection | |
| Monitor database query rates and identify anomalous patterns of query frequency. | |
| Abnormal Database Performance Monitoring | Monitor database performance metrics for abnormal fluctuations or degradation in performance. |
| Long-Running Query Identification | |
| Monitor for queries with excessively long execution times or resource consumption. | |
| Suspicious Account Lockouts Monitoring | Monitor database authentication logs for unusual patterns of account lockouts. |
| Anomaly in Login Source Locations | Monitor database authentication logs for login attempts from unexpected or unusual geographic locations. |
| Brute-Force Attack Detection | Monitor authentication logs for patterns indicative of brute-force attacks attempting to gain unauthorized access to the database. |
MITRE ATT&CK
T1110, T1552, T1566 , T1055, T1078, T1087, T1069, T1070 , T1566, T1190, T1071, T1048, T1105, T1106, T1564, T1560, T1487, T1070, T1082, T1550, T1498, T1570, T1485, T1010, T1083, T1049, T1119, T1573, T1005, T1133, T1114, T1132, T1016, T1115, T1488, T1491, T1494, T1059, T1053, T1028, T1110, T1562, T1018