Windows MSSQL disable audit settings

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects attempts to disable or modify SQL Server audit settings through ALTER or DROP commands.

Strategy

This rule monitors for event ID 33205 which captures SQL Server audit-related commands. The detection focuses on ALTER and DROP operations targeting SERVER AUDIT configurations, which could indicate attempts to disable security monitoring capabilities within the SQL Server environment.

Triage & Response

  • Examine the specific audit configuration changes made to the SQL Server instance on {{host}}.
  • Verify if the modifications were part of authorized maintenance or change management.
  • Check for any concurrent suspicious activities around the time of the audit changes.
  • Restrict audit configuration modifications to authorized database administrators.