Suspicious activity monitoring of databases can reveal insider abuse, credential theft, privilege escalation, database-specific attacks, audit trail modifications, and misconfigurations. Use this content pack to monitor, identify, and get alerts to successful and potential database exploit activity, SQL events by language type, and any other suspicious database events. Filtering database events by timeframe, domain, host, geolocation, and user can be especially helpful in identifying suspicious usage. Among other things, system administrators can use this content pack to track domain policy changes as well as privileged security group membership changes in their environment. Tracking users making changes to these items enables suspicious modifications to be caught and fixed.

Content Pack Components

Views

  • Database Events by Language Type
  • Database Events by Subtype
  • Database Exploit Activity
  • Failed Database Logons
  • Successful Database Logons

Reports

Reports may be adjusted to suit the needs of the environment.

  • Database - Database Events
  • Database - Database Logon Events

Correlation Rules

  • Database - Activity Outside Company Geolocation
  • Database - Attempted Database Configuration Change by a Remote Host
  • Database - Bulk Data Transfer after Exploit Activity
  • Database - Database Event Activity after Exploit Activity
  • Database - Excessive Database Connections from a Single Source
  • Database - Possible Exploit Activity
  • Database - Increased Number of DCL Events
  • Database - Increased Number of DDL Events
  • Database - Increased Number of DML Events
  • Database - Increased Number of TCL Events
  • Database - Multiple Database Access Attempt Failures
  • Database - Multiple Audit Trail Modifications
  • Database - Possible SQL Injection Activity - Low-Severity Queries
  • Database - Possible SQL Injection Activity - Query Failure by Destination User
  • Database - Possible SQL Injection Activity - Query Failure by Source IP
  • Database - Source User Logon Different from Destination User Logon

Required Products

  • McAfee Enterprise Security Manager (ESM) 11.x, 10.x
  • McAfee Advanced Correlation Engine (ACE) 11.x, 10.x

Content pack demo

Content packs are available directly inside the McAfee Enterprise Security Manager user interface. Watch the video to discover how to access your content pack and get started.

Watch Video
prevent-ransomware

Download Content Pack

Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.

Read Article

Explore

Find other content packs and partner integrations.

See All

Free Trial

Interested in McAfee Enterprise Security Manager?

Register