Investigating stored procedure threats

About this task

This procedure describes investigating a suspected stored procedure attack, using the threat diagnostic dashboard.

Procedure

  1. From the To Do list, or from Investigate > Exceptions, open the Suspected malicious STP Cases dashboard. Each line is a case, with a Confidence rating of certainty of an attack, and a risk level of the attack.
  2. Click View to evaluate for false positives.
  3. Hover over the selected case id to view the case details.
  4. Click symptoms to open the Malicious STP Case Symptoms page.
  5. 5. Click the id number to open the default diagnostic dashboard for SQL injection attacks, which is filtered by the incident's date and suspected web-application connection details. This helps narrow the investigation to database traffic that occurred during the attack. You can change or drop the filter to broaden the scope of investigation. Use the bottom grid to get more detailed information on the chart’s data.
  6. Use these guidelines while investigating the charts:
    • Change the timescale to look for peaks at time of the attack
    • Look for violation of any security policy, and see if any violations correlate to other activity at the time of the attack
  7. Drill-down by changing filters, time frame, etc. to see if there are differences across the system.
  8. Evaluate the charts in the dashboard:
    Compare errors on different servers
    Use this chart to understand whether this server and DB user have exceptionally more errors than other servers and DB users.
    Compare errors from different database users with similar behavior
    Use this chart to compare the error types and their volume on this DB user compared to similar DB users. The similar DB users are all users that created stored procedures.
    Similar activities on stored procedures by this database user
    Use this chart to see stored procedures the user has created/modified at the specific period. The chart is filtered by verb. Use this chart also to drill down and see what the user did on the different stored procedures.
    Compare violations from database users with similar behavior
    Compare the volume and type of violation (policy) on DB users that create stored procedures.
    Compare outliers from database users with similar behavior
    Use this chart to compare the volume and type of outliers on this DB user with other DB users that create stored procedures.
    Outliers by data on this database user
    Use this chart to see the volume and score of outliers on the specific DB user.
Parent topic: Working with threat diagnostic dashboards