Table of Contents
ATP Definition
ATP (Advanced Threat Protection) provides security alerts for unusual activity so customers can detect and respond to potential threats as they occur. Users receive alerts when it finds suspicious database activity, potential vulnerabilities, SQL injection attacks, or unusual database access or query patterns.
This includes details of the suspicious activity and suggested actions to investigate the threat or mitigate the risk. With ATP, you can easily address potential threats to your database without having to be a security expert or manage an advanced security surveillance system.
ATP Features
(Advanced Threat Protection) ATP Alerts
ATP detects anomalous, potentially harmful activities that attempt to access or exploit the database and triggers the following alerts:
Vulnerability to SQL Injection:
The trigger of this alert is when an application generates an erroneous SQL statement in the database. This alert indicates a possible vulnerability to an SQL injection attack. It makes statements with errors for two reasons:
- Flawed application code creates erroneous SQL statements
- Application code or stored procedures do not sanitize user input when creating SQL statements with errors that can exploit SQL injection.
Potential SQL injection
- This alert is triggered when there is an active exploit for an identified application vulnerability to SQL injection.
- This means that the attacker is trying to insert malicious SQL statements using vulnerable application code or stored procedures.
Access from an unusual location
- This alert is triggered when someone logs on to SQL Server from an unusual geographical location and changes the SQL Server access pattern.
- It is triggered on. This alert may detect a legitimate action (new application). In other cases, the alert spots a malicious activity.
Access from an unusual data center
- The trigger of this alert is when there is a change in the SQL Server access pattern. For example, if a server recently confirms that someone was logged on to SQL Server from an unusual data center.
- This alert may detect legal actions. In other cases, this alert detects malicious activities from resources/services (former employees, external attackers).
Access from unfamiliar principal
- This alert changes the SQL server access pattern when someone logs on to the SQL server using an unusual principal (SQL user). It triggers when occurs. This alert may detect a legitimate action.
Access from a potentially malicious application
- The trigger of this alert is when the use of a potentially harmful application to access the database.
- This alert may detect a running penetration test. In other cases, this alert detects attacks using common attack tools.
Brute force SQL credentials
The trigger of this alert is when the number of failed login attempts with different credentials is unusually high.
This alert may detect a running penetration test. In other cases, this alert detects a brute force attack.