Azure API calls indicating PostgreSQL firewall modification
Description
AlphaSOC detected modification or deletion of Azure PostgreSQL Flexible Server
firewall rules via
Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write or
Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/delete actions.
Firewall rule modifications can expose databases to unauthorized networks or remove access restrictions. Attackers may modify firewall rules to enable access from external systems under their control or to open the database to broader attack.
Impact
Firewall modifications can expose databases to unauthorized access from untrusted networks. Adding overly permissive rules or deleting restrictive ones increases attack surface and may enable data exfiltration to attacker-controlled systems.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Two unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs to identify the specific firewall changes and the principal responsible. Assess whether the new rules allow access from unexpected networks or if protective rules were removed.
If unauthorized, revert the firewall configuration and investigate why the change was made. Audit database connections for unauthorized access during the exposure window. Implement Azure Policy to enforce network access restrictions.
Known False Positives
- Legitimate network architecture changes
- Adding access for new application deployments