Azure advanced_threat_protection_for_azure_sql_database Mappings

This control provides alerts for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. An alert may be generated on suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access and query patterns.

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1078 Valid Accounts
Comments
This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
References
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect partial T1078.004 Cloud Accounts
Comments
This control may alert on logon events that are suspicious. This includes logins from unusual locations, logins from suspicious IP addresses, and users that do not commonly access the resource. These alerts may limit the ability of an attacker to utilize a valid cloud account to access and manipulate Azure databases.
References
    advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1213 Data from Information Repositories
    Comments
    This control may alert on extraction of a large amount of data to an unusual location. No documentation is provided on the logic for determining an unusual location.
    References
    advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110 Brute Force
    Comments
    This control covers the majority of sub-techniques for this parent technique and may cover both successful and unsuccessful brute force attacks. This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
    References
    advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110.001 Password Guessing
    Comments
    This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
    References
      advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110.003 Password Spraying
      Comments
      This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
      References
        advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110.004 Credential Stuffing
        Comments
        This control may alert on repeated sign in attempts to the resource and successful logins from a suspicious location, IP address, or a user that does not commonly log in to the resource. Because this control is specific to Azure database offerings, the detection coverage is Minimal.
        References
          advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1190 Exploit Public-Facing Application
          Comments
          This control may alert on usage of faulty SQL statements. This generates an alert for a possible SQL injection by an application. Alerts may not be generated on usage of valid SQL statements by attackers for malicious purposes.
          References