Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects attempts to disable or modify SQL Server audit settings through ALTER or DROP commands.

Strategy

This rule monitors for event ID 33205 which captures SQL Server audit-related commands. The detection focuses on ALTER and DROP operations targeting SERVER AUDIT configurations, which could indicate attempts to disable security monitoring capabilities within the SQL Server environment.

Triage & Response

• Examine the specific audit configuration changes made to the SQL Server instance on {{host}}.
• Verify if the modifications were part of authorized maintenance or change management.
• Check for any concurrent suspicious activities around the time of the audit changes.
• Restrict audit configuration modifications to authorized database administrators.