Powered by Zoomin Software. For more details please contactZoomin

Data Risk Analytics User Guide

Filters

Clear All Filters
Source Type
Application Security
Data Security
Network Security
Application Performance
Product Versions
Hypervisor Installation
Document Type
Access
Product Area
Clear All Filters
This guide

Active Attack on Database - Audit Tampering

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Feedback
Print
Table of Contents
HomeData Risk Analytics User Guide...Understanding IncidentsActive Attack on Database - Audit TamperingCurrent page
Table of Contents

Active Attack on Database - Audit Tampering

 Active Attack on Database - Audit Tampering

What it means

A malicious user attacked the database and attempted to modify the database audit log records, or attempted to partially or completely delete them, in order to disguise their actions.

Implications

There is an attacker within the organization network with access to the database. The attacker is trying to cover their tracks, and this attack might be part of a broader attack. The attacker probably still has access to the database and may continue to execute various attacks.

What to look for

Examine the incident details and Imperva audit logs as required to determine:

  • The number of attempts that took place
  • Whether the attempts succeeded
  • If the attempt(s) succeeded, check to see what data was modified/deleted.
  • Trace the activity, and verify it was actually performed by the indicated user.

Exceptions

While changes in audit configuration could be legitimate, any modification should be examined.

Note: Viewing this incident requires deploying Imperva Sonar and configuring it to send security events to Data Risk Analytics. This incident is only available for some database types.

Was this topic helpful?
LikeDislike