Azure API calls indicating SQL Server audit settings modification
Description
AlphaSOC detected modification of Azure SQL Server auditing settings via
Microsoft.SQL/servers/auditingSettings/write. Audit settings control whether
database activities such as queries, logins, and administrative actions are
logged for security and compliance purposes.
Adversaries may modify audit settings to disable logging or reduce retention periods, allowing them to execute malicious queries or access sensitive data without leaving evidence. This is a common defense evasion technique before data exfiltration or manipulation.
Impact
Disabling or weakening SQL Server auditing reduces visibility into database activities. Attackers can execute unauthorized queries, access sensitive data, or modify records without detection. Forensic investigations become difficult when audit logs are unavailable, and compliance requirements may be violated.
Severity
| Severity | Condition |
|---|---|
Low | Audit settings modification detected |
Medium | Anomalous audit settings modification |
Investigation and Remediation
Review Azure Activity logs for Microsoft.SQL/servers/auditingSettings/write
events. Examine what audit settings were changed, such as disabling auditing,
changing retention periods, or modifying storage destinations. Verify if changes
were authorized.
If unauthorized, restore audit settings to their secure configuration immediately. Review any database activities that occurred while auditing was weakened. Investigate the compromised identity for data access or exfiltration attempts. Implement Azure Policy to enforce audit settings and alert on audit configuration changes.