Unexpected Azure API calls indicating PostgreSQL logging configuration change
Description
AlphaSOC detected changes to Azure PostgreSQL Flexible Server logging
configuration parameters via
Microsoft.DBforPostgreSQL/flexibleServers/configurations/write. This detection
monitors changes to log_connections, log_disconnections, log_checkpoints,
and logfiles.retention_days settings.
Modifying logging configurations is a defense evasion technique. Attackers may disable connection logging to hide their database access, reduce log retention to accelerate evidence destruction, or disable checkpoints logging to obscure database modifications.
Impact
Disabled or reduced logging impairs the ability to detect unauthorized database access, investigate security incidents, and maintain compliance audit trails. Without connection logs, unauthorized access may go undetected indefinitely.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Two unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs to identify who modified the logging configuration and what specific changes were made. Determine if logging was disabled or retention was reduced, and assess the potential impact on visibility.
If unauthorized, immediately restore appropriate logging settings. Investigate database activity during the reduced logging window using any available logs. Check for other defense evasion activities by the same principal and rotate their credentials.
Known False Positives
- Legitimate performance optimization reducing verbose logging
- Storage cost management in development environments