Malicious IP connected to PostgreSQL database

postgresql

Classification:

attack

Tactic:

TA0043-reconnaissance

Technique:

T1595-active-scanning

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect database connections from IP addresses that are identified as malicious. Network access to database servers should be restricted.

Strategy

This rule monitors logs from PostgreSQL to detect when a connection originates from an IP identified as malicious. Datadog enriches all ingested logs with threat intelligence in real time.

A High signal is generated if the connection resulted in a successful login. A Low signal is generated if there was no login attempt or the login attempt failed.

Triage and response

  1. Determine if the user {{ @db.user }} is expected to authenticate from the IP {{ @network.client.ip }}.
  2. Restrict network access to the database. Remove any public access.
  3. If the login was successful review database logs for suspicious actions taken by the user {{ @db.user }}.
  4. Rotate credentials for the affected account.