Real-Time Threat Detection
Automatically detect SQL injection, anomalous behavior, privilege escalation, and data exfiltration attempts before they compromise your databases.
Multi-Layer Detection Engine
DB Audit combines signature-based detection, machine learning anomaly detection, and behavioral analysis to identify threats that traditional tools miss. Our detection engine processes queries in real-time with sub-millisecond latency.
Detection Capabilities
SQL Injection Detection
Identify and block SQL injection attempts in real-time using pattern matching, semantic analysis, and behavioral models.
- Union-based injection attacks
- Blind SQL injection attempts
- Time-based injection patterns
- Stacked query attacks
Anomaly Detection
Machine learning-powered detection of unusual database activity patterns that may indicate compromised credentials or insider threats.
- Unusual query patterns
- Abnormal data access volumes
- Off-hours activity detection
- Geographic anomalies
Privilege Escalation Detection
Monitor for unauthorized privilege changes, role modifications, and attempts to bypass access controls.
- Unauthorized GRANT statements
- Role elevation attempts
- Permission boundary violations
- Admin account creation
Data Exfiltration Detection
Detect bulk data extraction, unusual export patterns, and potential data theft before sensitive information leaves your systems.
- Large result set exports
- Systematic table scanning
- Unusual COPY/EXPORT commands
- API-based data extraction
SQL Injection Detection
Comprehensive SQL injection detection using pattern matching, semantic analysis, and query structure validation. Block attacks before they reach your database.
SQL injection remains the #1 database attack vector. Even parameterized queries can be vulnerable to second-order injection. DB Audit detects injection attempts at the database layer regardless of application defenses.
patterns Regex-based detection of known injection patterns including UNION, comment sequences, and stacked queries. semantic_analysis Detect tautologies (OR 1=1), syntax errors, and logical anomalies that indicate manipulation. actions Configure response actions: block, alert, log, or quarantine suspicious queries. # SQL Injection Detection Configuration
detection:
sql_injection:
enabled: true
sensitivity: high
# Pattern-based detection
patterns:
- name: union_injection
pattern: "UNION\s+(ALL\s+)?SELECT"
severity: critical
- name: comment_injection
pattern: "(--|#|/\*).*(OR|AND)\s+['"]?\d"
severity: high
- name: stacked_queries
pattern: ";\s*(DROP|DELETE|UPDATE|INSERT)"
severity: critical
# Semantic analysis
semantic_analysis:
enabled: true
detect_tautologies: true # OR 1=1, OR 'a'='a'
detect_syntax_errors: true
# Actions on detection
actions:
- block_query
- alert:
severity: critical
channels: [slack, pagerduty]
- log_full_contextAnomaly Detection
Machine learning models build behavioral baselines for each user, application, and database. Detect deviations that may indicate compromised credentials or insider threats.
Learn normal patterns from historical data
Adjust sensitivity for off-hours and weekends
Individual baselines for each database user
Self-tuning based on feedback
# Anomaly Detection Configuration
detection:
anomaly:
enabled: true
# Behavioral baselines
baseline:
learning_period: 14d
update_frequency: 24h
minimum_samples: 1000
# Detection thresholds
thresholds:
query_volume:
deviation: 3.0 # Standard deviations
window: 1h
data_access:
deviation: 2.5
window: 15m
new_tables_accessed:
max_new_tables: 5
window: 1h
query_complexity:
deviation: 2.0
window: 30m
# Time-based rules
time_rules:
- name: off_hours
hours: "22:00-06:00"
sensitivity_multiplier: 2.0
- name: weekend
days: [saturday, sunday]
sensitivity_multiplier: 1.5Privilege Escalation Detection
Monitor all privilege-related operations including GRANT, REVOKE, role changes, and user creation. Detect unauthorized attempts to elevate access or bypass controls.
monitored_operations Track GRANT, REVOKE, CREATE USER, ALTER USER, and role modifications. rules Define conditions that trigger alerts based on operation type and context. require_approval Queue sensitive operations for manual approval before execution. # Privilege Escalation Detection
detection:
privilege_escalation:
enabled: true
# Monitor these operations
monitored_operations:
- GRANT
- REVOKE
- CREATE USER
- ALTER USER
- CREATE ROLE
- ALTER ROLE
- SET ROLE
# Alert conditions
rules:
- name: admin_role_grant
condition: "GRANT.*SUPERUSER|ADMIN|DBA"
severity: critical
immediate: true
- name: new_user_creation
condition: "CREATE USER"
severity: high
require_approval: true
- name: role_elevation
condition: "SET ROLE.*admin"
severity: high
log_session: true
# Whitelist legitimate operations
exceptions:
users: [terraform, migration_user]
applications: [provisioning_service]Data Exfiltration Detection
Identify potential data theft through volume analysis, pattern detection, and export monitoring. Stop unauthorized data extraction before it leaves your systems.
Unlike traditional DLP that monitors network traffic, DB Audit detects exfiltration at the source—before data leaves the database. This catches attacks that bypass network controls.
volume_rules Detect unusual data volumes based on row counts and time windows. patterns Identify systematic scanning, table enumeration, and schema reconnaissance. export_commands Monitor COPY, pg_dump, mysqldump, and other export utilities. # Data Exfiltration Detection
detection:
data_exfiltration:
enabled: true
# Volume-based detection
volume_rules:
- name: large_export
row_threshold: 100000
time_window: 5m
severity: high
- name: bulk_select
tables: [customers, orders, transactions]
row_threshold: 10000
severity: medium
# Pattern-based detection
patterns:
- name: table_enumeration
condition: "SELECT * FROM information_schema"
severity: medium
- name: systematic_scan
condition: "sequential_table_access > 10"
time_window: 10m
severity: high
# Export command monitoring
export_commands:
monitor: [COPY, pg_dump, mysqldump, bcp]
require_approval: true
log_destination: true
# Response actions
actions:
high:
- terminate_session
- alert_security_team
- preserve_evidence
medium:
- alert
- increase_loggingThreat Intelligence Sources
DB Audit combines multiple detection methods for comprehensive threat coverage. Custom rules can be added for organization-specific threats.
Automated Response Actions
Configure automated responses to detected threats based on severity. From logging to session termination, take immediate action on threats.
# Response action configuration
response_actions:
critical:
- block_query # Prevent query execution
- terminate_session # End the database session
- alert:
channels: [pagerduty, slack]
immediate: true
- preserve_evidence # Capture full session context
high:
- block_query
- alert:
channels: [slack, email]
- increase_logging # Enable verbose logging
medium:
- alert:
channels: [email]
- log_details
low:
- log_details # Record for reviewReady to Detect Database Threats?
Start protecting your databases with real-time threat detection. Identify SQL injection, anomalies, and data exfiltration before they cause damage.