Windows MSSQL disable audit settings
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects attempts to disable or modify SQL Server audit settings through ALTER or DROP commands.
Strategy
This rule monitors for event ID 33205
which captures SQL Server audit-related commands. The detection focuses on ALTER and DROP operations targeting SERVER AUDIT configurations, which could indicate attempts to disable security monitoring capabilities within the SQL Server environment.
Triage & Response
- Examine the specific audit configuration changes made to the SQL Server instance on
{{host}}
. - Verify if the modifications were part of authorized maintenance or change management.
- Check for any concurrent suspicious activities around the time of the audit changes.
- Restrict audit configuration modifications to authorized database administrators.