Investigating stored procedure threats
About this task
Investigate a suspected stored procedure attack by using the threat diagnostic dashboard.
Procedure
- From the To Do list, or from Investigate > Exceptions, open the Suspected malicious STP Cases dashboard. Each line is a case. Each case shows a Confidence rating of certainty of an attack and a risk level of the attack.
- Click View to evaluate for false positives.
- Hover over the selected case ID to view the case details.
- Click symptoms to open the Malicious STP Case Symptoms page.
- Click the ID number to open the default diagnostic dashboard for SQL injection attacks, which filters according to the incident's date and suspected web-application connection details. This filtering helps to narrow the investigation to database traffic that occurred during the attack. You can change or drop the filter to broaden the scope of investigation. Use the grid on the page to get more detailed information on the chart’s data.
-
Use these guidelines while you investigate the charts:
- Change the timescale to look for peaks at the time of the attack.
- Look for violations of any security policy, and see whether any violations correlate to other activity at the time of the attack.
- Drill-down by changing filters, time frame, and more to see whether differences exist across the system.
-
Evaluate the charts in the dashboard:
- Compare errors on different servers
- Use this chart to understand whether this server and DB user have exceptionally more errors than other servers and DB users.
- Compare errors from different database users with similar behavior
- Use this chart to compare the error types and their volume on this DB user compared to similar DB users. The similar DB users are all users that created stored procedures.
- Similar activities on stored procedures by this database user
- Use this chart to see stored procedures that the user created or modified at the specific period. The chart filters by verb. Use this chart also to drill down and see what the user did on the different stored procedures.
- Compare violations from database users with similar behavior
- Compare the volume and type of violation (policy) on DB users that create stored procedures.
- Compare outliers from database users with similar behavior
- Use this chart to compare the volume and type of outliers on this DB user with other DB users that create stored procedures.
- Outliers by data on this database user
- Use this chart to see the volume and score of outliers on the specific DB user.