Suspicious activity monitoring of databases can reveal insider abuse, credential theft, privilege escalation, database-specific attacks, audit trail modifications, and misconfigurations. Use this content pack to monitor, identify, and get alerts to successful and potential database exploit activity, SQL events by language type, and any other suspicious database events. Filtering database events by timeframe, domain, host, geolocation, and user can be especially helpful in identifying suspicious usage. Among other things, system administrators can use this content pack to track domain policy changes as well as privileged security group membership changes in their environment. Tracking users making changes to these items enables suspicious modifications to be caught and fixed.

Content Pack Components


  • Database Events by Language Type
  • Database Events by Subtype
  • Database Exploit Activity
  • Failed Database Logons
  • Successful Database Logons


Reports may be adjusted to suit the needs of the environment.

  • Database - Database Events
  • Database - Database Logon Events

Correlation Rules

  • Database - Activity Outside Company Geolocation
  • Database - Attempted Database Configuration Change by a Remote Host
  • Database - Bulk Data Transfer after Exploit Activity
  • Database - Database Event Activity after Exploit Activity
  • Database - Excessive Database Connections from a Single Source
  • Database - Possible Exploit Activity
  • Database - Increased Number of DCL Events
  • Database - Increased Number of DDL Events
  • Database - Increased Number of DML Events
  • Database - Increased Number of TCL Events
  • Database - Multiple Database Access Attempt Failures
  • Database - Multiple Audit Trail Modifications
  • Database - Possible SQL Injection Activity - Low-Severity Queries
  • Database - Possible SQL Injection Activity - Query Failure by Destination User
  • Database - Possible SQL Injection Activity - Query Failure by Source IP
  • Database - Source User Logon Different from Destination User Logon

Required Products

  • McAfee Enterprise Security Manager (ESM) 11.x, 10.x
  • McAfee Advanced Correlation Engine (ACE) 11.x, 10.x

Download Content Pack

Registered ServicePortal users can log in to access the Knowledge Center for further documentation or to download the content pack file manually.

Read Article


Find other content packs and partner integrations.

See All

Free Trial

Interested in McAfee Enterprise Security Manager?