Database Disovery
Discovery Database Services
Query
let DatabasePorts = dynamic([1433, 1434, 1583, 3050, 3306, 3351, 5432]);
// Device List with devices that perform benign connections to SQL machines
let BenignDeviceList = dynamic(['DeviceName1']);
// Threshold for the amount of unique connections
let AlertThreshold = 10;
DeviceNetworkEvents
| where ingestion_time() > ago(24h)
// Filter Database ports
| where RemotePort in (DatabasePorts)
// Filter Benign Devices
| where not(DeviceName in~(BenignDeviceList))
// Summarize results and get statistics
| summarize TotalIPsAccessed = dcount(RemoteIP), IPList = make_set(RemoteIP), PortList = make_set(RemotePort), arg_max(Timestamp, *) by DeviceId, bin(Timestamp, 1h)
| where TotalIPsAccessed >= AlertThreshold
| project DeviceName, Timestamp, TotalIPsAccessed, IPList, PortListAbout this query
Explanation
This query is designed to detect suspicious network activity related to database services within a network. Here's a simplified breakdown:
-
Purpose: The query aims to identify devices that are making an unusually high number of connections to database services, which could indicate a potential security threat, such as an adversary trying to discover network services or access sensitive data.
-
Database Ports: It focuses on specific ports commonly used by various database services, such as MSSQL, MySQL, and PostgreSQL. These ports are 1433, 1434, 1583, 3050, 3306, 3351, and 5432.
-
Benign Devices: There is a list of devices known to make legitimate connections to these databases. These devices are excluded from the analysis to reduce false positives.
-
Alert Threshold: The query sets a threshold of 10 unique connections. If a device connects to 10 or more unique IP addresses on these database ports within the last 24 hours, it is flagged for further investigation.
-
Data Analysis: The query checks network events from the past 24 hours, filters out benign devices, and summarizes the data to identify devices exceeding the connection threshold. It provides details such as the device name, timestamp, total number of unique IPs accessed, and lists of IPs and ports involved.
-
Output: The result is a list of devices that potentially exhibit suspicious behavior, which can be further investigated to determine if there is a security threat.
This query helps in monitoring and securing a network by identifying unusual patterns of database access that could indicate malicious activity.
