Windows MSSQL disable audit settings

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detects attempts to disable or modify SQL Server audit settings through ALTER or DROP commands.

Strategy

This rule monitors for event ID 33205 which captures SQL Server audit-related commands. The detection focuses on ALTER and DROP operations targeting SERVER AUDIT configurations, which could indicate attempts to disable security monitoring capabilities within the SQL Server environment.

Triage & Response

  • Examine the specific audit configuration changes made to the SQL Server instance on {{host}}.
  • Verify if the modifications were part of authorized maintenance or change management.
  • Check for any concurrent suspicious activities around the time of the audit changes.
  • Restrict audit configuration modifications to authorized database administrators.