Unexpected Azure API calls indicating PostgreSQL database modification
Description
AlphaSOC detected modification of an Azure Database for PostgreSQL Flexible
Server via Microsoft.DBforPostgreSQL/flexibleServers/configurations/write or
Microsoft.DBforPostgreSQL/flexibleServers/write actions. Configuration changes
can affect database security, performance, and operational behavior.
Database configuration modifications may indicate legitimate administration or an attacker weakening security controls to facilitate data access or exfiltration. Changes to authentication settings, network rules, or security features are particularly concerning.
Impact
Unauthorized database modifications can weaken security posture, enable unauthorized access, or disrupt database operations. Attackers may modify configurations to disable logging, open network access, or weaken authentication requirements before exfiltrating data.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Two unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs to identify the specific configuration changes and the principal responsible. Assess whether the modifications align with approved change management processes. Pay particular attention to changes affecting security, logging, or network access settings.
If unauthorized, revert the configuration changes and investigate the principal's other activities. Audit database access logs for suspicious queries during the modification window. Implement Azure Policy to enforce secure configurations and restrict database administrative access.
Known False Positives
- Legitimate database performance tuning
- Planned security configuration updates