Malicious IP connected to PostgreSQL database
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect database connections from IP addresses that are identified as malicious. Network access to database servers should be restricted.
Strategy
This rule monitors logs from PostgreSQL to detect when a connection originates from an IP identified as malicious. Datadog enriches all ingested logs with threat intelligence in real time.
A High
signal is generated if the connection resulted in a successful login. A Low
signal is generated if there was no login attempt or the login attempt failed.
Triage and response
- Determine if the user
{{ @db.user }}
is expected to authenticate from the IP {{ @network.client.ip }}
. - Restrict network access to the database. Remove any public access.
- If the login was successful review database logs for suspicious actions taken by the user
{{ @db.user }}
. - Rotate credentials for the affected account.