Windows MSSQL disable audit settings

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detects attempts to disable or modify SQL Server audit settings through ALTER or DROP commands.

Strategy

This rule monitors for event ID 33205 which captures SQL Server audit-related commands. The detection focuses on ALTER and DROP operations targeting SERVER AUDIT configurations, which could indicate attempts to disable security monitoring capabilities within the SQL Server environment.

Triage & Response

  • Examine the specific audit configuration changes made to the SQL Server instance on {{host}}.
  • Verify if the modifications were part of authorized maintenance or change management.
  • Check for any concurrent suspicious activities around the time of the audit changes.
  • Restrict audit configuration modifications to authorized database administrators.