Unexpected Azure API calls indicating SQL Server modification
Description
AlphaSOC detected modification of an Azure SQL Server configuration via
Microsoft.Sql/servers/write. SQL Server settings control public network
access, firewall rules, authentication methods, and administrator credentials.
Adversaries may modify SQL Server configurations to enable public network access, weaken authentication requirements, or change firewall rules to allow external connections. These changes can facilitate unauthorized database access or data exfiltration.
Impact
SQL Server configuration changes can weaken database security controls. Attackers may enable public network access to connect from external infrastructure, modify authentication settings to bypass security controls, or change administrator credentials to establish persistent access.
Severity
| Severity | Condition |
|---|---|
Low | SQL Server modification detected |
Medium | Anomalous SQL Server modification |
Investigation and Remediation
Review Azure Activity logs for Microsoft.Sql/servers/write events. Examine the
request body to identify what configuration changes were made. Check for
modifications to public network access settings, firewall rules, or
authentication configurations.
If unauthorized, revert the SQL Server to its secure configuration. Review database connection logs for unauthorized access during the exposure window. Investigate the compromised identity for additional malicious activity. Implement Azure Policy to enforce secure SQL Server configurations.