| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1078 | Valid Accounts |
Comments
This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
References
|
| advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1110 | Brute Force |
Comments
This control covers the majority of sub-techniques for this parent technique and may cover both successful and unsuccessful brute force attacks. This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
References
|
| advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1110.001 | Password Guessing |
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
|
| advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1110.003 | Password Spraying |
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
|
| advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1110.004 | Credential Stuffing |
Comments
This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
References
|
| advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1190 | Exploit Public-Facing Application |
Comments
This control may alert on usage of faulty SQL statements. This generates an alert for a possible SQL injection by an application. Alerts may not be generated on usage of valid SQL statements by attackers for malicious purposes.
References
|
| advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | minimal | T1213 | Data from Information Repositories |
Comments
This control may alert on extraction of a large amount of data to an unusual location. No documentation is provided on the logic for determining an unusual location.
References
|
| advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | detect | partial | T1078.004 | Cloud Accounts |
Comments
This control may alert on logon events that are suspicious. This includes logins from unusual locations, logins from suspicious IP addresses, and users that do not commonly access the resource. These alerts may limit the ability of an attacker to utilize a valid cloud account to access and manipulate Azure databases.
References
|