Malicious IP connected to MySQL database

mysql

Classification:

attack

Tactic:

TA0043-reconnaissance

Technique:

T1595-active-scanning

Set up the mysql integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect database connections from IP addresses that are identified as malicious. Network access to database servers should be restricted.

Strategy

This rule monitors logs from MySQL to detect when a connection originates from an IP identified as malicious. Datadog enriches all ingested logs with threat intelligence in real time.

Triage and response

  1. Determine if the user {{ @db.user }} is expected to authenticate from the IP {{ @network.client.ip }}.
  2. Restrict network access to the database. Remove any public access.
  3. If the login was successful review database logs for suspicious actions taken by the user {{ @db.user }}.
  4. Rotate credentials for the affected account.