Unusual database command-line access (e.g., psql, mysql, mongo) from non-admin users, occurring outside typical automation windows or without known service context. Often followed by data dumps to .sql/.csv files or outbound data transfers. Defender sees CLI tools launched interactively or by unusual parent processes, file writes to dump-like filenames, and external connections shortly after.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve: Execution of CLI tools like psql, mysql, mongo, sqlite3 |
| File Creation (DC0039) | auditd:PATH | Creation of files with extensions .sql, .csv, .sqlite, especially in user directories |
| Network Traffic Content (DC0085) | NSM:Flow | http::post: Outbound HTTP POST from host shortly after DB export activity |
| Field | Description |
|---|---|
| AllowedDBClients | List of user or automation accounts expected to use database clients |
| DumpFilePattern | Filename patterns used to identify data dumps (e.g., *.sql, backup_*.csv) |
| TimeWindow | Time threshold for correlating execution, file write, and outbound transfer |
Database client execution (e.g., sqlcmd.exe, isql.exe) by users or from locations not tied to enterprise automation or backups. Often followed by creation of .sql/.bak/.csv files, registry artifacts for ODBC/JDBC drivers, or encrypted ZIPs. Defender sees SQL tools launched by explorer.exe, Powershell, or odd parent processes, plus file writes in user temp locations.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| KnownDBToolPaths | Directories where legitimate database tools are installed |
| ExportExtensionPatterns | List of file extensions commonly used for DB exports |
| MaxTransferVolume | Threshold for outbound data volume that may suggest large DB dumps |
Execution of Java-based or CLI database tools (e.g., DBeaver, Beekeeper, mysql, psql) from user profiles not tied to dev/admin roles, especially when followed by file writes and cloud sync activity. Defender correlates GUI tool launches, file write events in ~/Downloads or ~/Documents, and outbound API calls to known cloud services.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Process start of Java or native DB client tools |
| File Creation (DC0039) | macos:unifiedlog | Writes of .sql/.csv/.xlsx files to user documents/downloads |
| Network Traffic Content (DC0085) | NSM:Flow | HTTPS API requests to Dropbox, iCloud, Google Drive, OneDrive shortly after DB tool usage |
| Field | Description |
|---|---|
| CloudSyncDomainList | FQDNs of sync services used to detect likely outbound DB leakages |
| UserPrivilegeLevel | Whether to treat low-privilege users accessing DB tools as higher risk |
Database enumeration and export activity (e.g., SELECT * FROM, SHOW DATABASES) issued via ephemeral VMs, admin APIs, or cloud shell from non-monitoring accounts. Defender correlates audit logs (CloudTrail, GCP Admin, AzureDiagnostics), storage write ops, and cross-region transfers by identities not tied to DB operations.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Metadata (DC0070) | AWS:CloudTrail | rds:ExecuteStatement: Large data access via RDS or Aurora with unknown session context |
| Cloud Storage Access (DC0025) | AWS:CloudTrail | PutObject: S3 writes with .sql/.csv extension by same identity or within 5 min of DB access |
| Network Connection Creation (DC0082) | AWS:VPCFlowLogs | Large transfer volume (>20MB) from RDS IP range to external public IPs |
| Field | Description |
|---|---|
| IAMAccessPatterns | Define which IAM roles/accounts are allowed DB operations |
| S3ExportThreshold | Size threshold (MB) or file pattern for S3-based exfil monitoring |
| DBQueryVerbosityThreshold | Number of rows/columns or duration to flag long-running queries |
Unusual or excessive database/table exports from SaaS database platforms (e.g., Snowflake, Firebase, BigQuery, Airtable) by users or apps not in known analytics or dev groups. Defender observes access patterns outside baseline working hours or with new query templates, and correlates those with audit logs or file downloads.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | saas:Snowflake | QUERY: Large or repeated SELECT * queries to sensitive tables |
| File Access (DC0055) | m365:unified | Bulk downloads or API extractions from Microsoft-hosted data repositories (e.g., Dynamics 365) |
| Field | Description |
|---|---|
| BaselineQueryTemplates | Query hash or shape for common BI/ETL jobs to reduce false positives |
| OffHoursAccessWindow | Window to define after-hours activity thresholds for DB access |