Unexpected Azure API calls indicating PostgreSQL security configuration change
Description
AlphaSOC detected changes to Azure PostgreSQL Flexible Server security
configuration via
Microsoft.DBforPostgreSQL/flexibleServers/configurations/write. This detection
monitors changes to the connection_throttle.enable setting, which helps
protect against brute force attacks.
Disabling connection throttling removes protection against password spraying and brute force authentication attacks.
Impact
Disabled connection throttling allowing for brute force attacks against database user accounts. This can lead to credential compromise and unauthorized data access, particularly for accounts with weak passwords.
Severity
| Severity | Condition |
|---|---|
Low | Unexpected action or ASN |
Medium | Two unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs to identify who modified the security configuration. Check PostgreSQL authentication logs for signs of brute force attempts following the configuration change.
If unauthorized, immediately re-enable connection throttling. Investigate whether any authentication attacks occurred during the vulnerability window and reset passwords for potentially compromised accounts. Review the principal's other activities and rotate their credentials.