Risk event categories

Understand the different categories of threats identified by risk events.

Version 3.4.x and laterAbnormal or unexpected behavior
The asset is exhibiting deviations from normal activities. These may be anomalies, which are detected by comparing hourly activity with an average hour’s activity, or policy violations. Investigating these discrepancies is essential to identify whether the irregularities stem from legal activities or breaches of established policies.
Brute force attack
Hackers may attempt to access a database by trying common combinations of user names and passwords, such as 'ADMIN/ADMIN,' or by trying multiple variations of passwords for a specific user.
The occurrence of failed login attempts by multiple users, especially users such as 'ROOT', 'ADMIN', 'WP', and other common username can raise a suspicion of an attack. Moreover, multiple failed login attempts by a single user also raise suspicion of an attack. Other factors, such as excessive exceptions and policy violations, support this suspicion.
Version 3.4.x and laterCredential stealing / Version 3.3.xAccount takeover
There is a suspicion that an unauthorized user accessed the database. A new connection profile was used to access an account, exhibiting anomalies. This may indicate that a user’s credentials were stolen and misused. Errors that are associated with the account are reported.
Cross-site scripting (XSS)
Cross-site scripting (XSS) attacks attempt to insert malicious JavaScript code into the server through input fields and APIs. When such a script is stored in the database, it becomes persistent and is activated every time that a user accesses the data. SQL statements that include JavaScript may indicate an attempt to inject such malicious code.
Version 3.4.x and laterData stealing / Version 3.3.xData leak
This attack is an attempt to retrieve data for unauthorized use. Data stealing is identified by abnormally high data retrieval activity. It may serve as the initial step in a ransomware attack, where the attacker steals the data and then removes it from the database altogether.
Data tampering
In this attack, the attacker accesses the database to modify or remove data. This may cause loss of data or disruption in system operations. Anomalies in the volume of data deletion or modification may indicate such an attack. Exceptions that are caused by missing data may support this suspicion.
Version 3.4.x and laterDistributed Denial-of-Service (DDoS) / Version 3.3.xDenial of Service
Typically, Distributed Denial-of-Service (DDoS) attacks target a network, web server, or web service and should be detected at these levels. However, these attacks can cause a significant increase in data activity and overload the database.
An extreme increase in data activity may indicate a DDoS attack. Also, certain SQL statement patterns can raise suspicion of such an attack, whether there is an increase in data activity or not.
Version 3.3.xExcessive activities
Overall activities on the asset are excessively high compared to the normal volume of activity.
Version 3.3.xExcessive activity on sensitive objects
An exceptionally high volume of activity was observed on sensitive objects.
Version 3.3.xExcessive activity on vulnerable objects
An exceptionally high volume of activity was observed on objects that are in the Guardium vulnerable objects group.
Version 3.3.xExcessive diversity of activity

The asset exhibits a greater diversity of activity compared to its usual patterns. A user might run unauthorized activities in addition to their regular work, or someone else might have accessed their account.

Version 3.3.xExcessive exceptions
The overall number of SQL exceptions is exceptionally higher than the normal number of SQL exceptions. The high number might indicate an SQL injection attempt or deletion of objects that are used by others. This might also be caused by deployment of faulty software upgrade or other technical issues in an application.
Version 3.3.xExcessive new activities
New activities are activities that were never observed from that asset. Excessive new activities occurred compared to the usual volume.
Version 3.3.xGlobal risk
Similar suspicious activities were observed across multiple assets. This observation suggests that the suspicious activities are not limited to the observed asset alone. Instead, they indicate a widespread attack. A global risk is a pervasive and high-level risk that warrants further investigation.
Version 3.3.xMassive grants
A user granted many new privileges to various users. It might also be a user who typically does not grant privileges that has now granted a significant number of privileges.
Version 3.3.xMassive user creation
A user created many new users compared to normal. While this might appear as normal day-to-day activity, it should be investigated since the creation of many users is often the initial step in a Distributed Denial-of-Service (DDoS) attack.
Version 3.3.xMassive user drop
The drop-user activity was excessively used by a user to remove a significant number of users.
Version 3.3.xMassive violations
A high number of policy violations with high severity might indicate a breach. Alternatively, it can merely indicate an overly restrictive policy rule. If the massive violations alert is a false positive that occurs often, check the policy rule, and consider adjusting it.
OS command injection
OS command injection, also known as shell injection, is an attempt to run commands on the operating system, injected through an application. Certain patterns of SQL statements may indicate that the statement includes an OS command and can be suspected as an OS command injection attempt.
Schema tampering
Schema tampering refers to the malicious modification or removal of database elements, such as tables, views, and stored procedures. These modifications may cause excessive exceptions as applications fail to use these schema elements in a usual manner.
An anomaly in the volume of activities that modify or remove schema elements may indicate such an attack. Exceptions that are related to schema elements that don’t exist support this suspicion.
Version 3.4.x and laterSQL Injection
SQL injection attacks attempt to use application vulnerabilities by concatenating user input with SQL queries. If successful, these attacks can run malicious SQL commands by using the legitimate application connection. There are various SQL injection techniques. Explore policy violations and exceptions to understand which techniques, suggesting an SQL injection, were identified.
Version 3.3.xSQL Injection-Tautology
In a tautology type attack, code is injected that uses the conditional operator OR and a query that evaluates to TRUE. Tautology-based SQL injection attacks usually bypass user authentication and extract data by inserting a tautology in the "WHERE" clause of an SQL query. The SQL query results transform the original condition into a tautology that causes, for example, all the rows in a database table to be open to an unauthorized user.
Version 3.3.xSQL Injection- Side channel
SQL injection attacks often result in a general error with no indication of the reason for failure. In side channel attacks, the attacker typically inserts code that has a "side effect" like sleeping for 2 seconds if an attack is successful. This technique allows the attacker to measure the side effect and determine whether the attack was successful. For example, the injected code might sleep for 2 seconds if the MySQL version in 5.6. If the request takes more than 2 seconds to return, the attacker confirms that the server is running MySQL 5.6.
Guardium® finds side channel attacks by identifying the use of commands such as sleep and comments in the database requests.
Version 3.3.xSQL Injection- Denial of Service
A denial of service attack attempts to impact service availability by creating excessively high demands on memory or resources, or by causing server unavailability.
A policy rule identifies these attacks by, for example, analyzing the syntax used in the database requests.
Uncategorized
Unusual activity that does not fall under any specific category occurred. Although this anomalous event does not fall under one of the pre-defined categories, it still suggests risk and warrants attention.