Azure SQL Database Detection Rules: Enhanced MITRE Coverage and Alert Context

What Changed

The Azure SQL Database solution received quality improvements across 10 analytic rules and 8 hunting queries. Changes include enhanced MITRE ATT&CK technique mappings, standardized alert customization, and improved query projections for better analyst workflow integration.

Detection Logic

All analytic rules monitor stateful anomalies in Azure SQL Database activity using AzureDiagnostics table data. Core logic identifies patterns where statement counts with monitored events exceed baseline thresholds while historical training slices remain below limits. Rules now include consistent project statements with explicit column selection instead of final sort operations, improving query performance and ensuring TimeGenerated availability for timeline analysis.

Entity mappings remain consistent across rules: Account (PrincipalName), IP (ClientIp), Host (HostName), and AzureResource (ResourceId).

MITRE Mapping

Technique assignments were corrected to match actual attack behaviors:

• Credential attacks (T1110.001, T1110.002): Added to credential error anomaly detection
• Command execution (T1059, T1059.001, T1059.003): Applied to shell command hotword detection
• Defense evasion (T1098, T1562): Mapped to firewall rule manipulation attempts
• Impact (T1485): Associated with database drop operations
• Command and control (T1071): Added to outgoing connection anomalies
• Data staging (T1213.006, T1567): Applied to data exfiltration patterns

Alert Enhancements

All 10 analytic rules now include:

• Custom alert formats: Dynamic titles using database name variables (e.g., “Credential errors stateful anomaly on database {{Database}}”)
• Contextual descriptions: Specific guidance on investigation focus for each threat pattern
• Custom details: HotWords field extraction for hotword-based rules, enabling analysts to quickly identify suspicious SQL keywords
• Version bump: All rules updated from 1.1.1 to 1.1.2

Performance Optimizations

Hunting queries received efficiency improvements:

• Reduced make_list/make_set size limits for better memory usage
• Replaced string concatenation joins with direct field joins on PrincipalName/ApplicationName
• Standardized ordering and projection patterns across query set

Affected Files

Solutions/Azure SQL Database solution for sentinel/Analytic Rules/Detection-ErrorsCredentialStatefulAnomalyOnDatabase.yaml
Solutions/Azure SQL Database solution for sentinel/Analytic Rules/Detection-ErrorsFirewallStatefulAnomalyOnDatabase.yaml
Solutions/Azure SQL Database solution for sentinel/Analytic Rules/Detection-ErrorsSyntaxStatefulAnomalyOnDatabase.yaml
Solutions/Azure SQL Database solution for sentinel/Analytic Rules/Detection-HotwordsDropStatefulAnomalyOnDatabase.yaml
Solutions/Azure SQL Database solution for sentinel/Analytic Rules/Detection-HotwordsExecutionStatefulAnomalyOnDatabase.yaml
Solutions/Azure SQL Database solution for sentinel/Analytic Rules/Detection-HotwordsFirewallRuleStatefulAnomalyOnDatabase.yaml
Solutions/Azure SQL Database solution for sentinel/Analytic Rules/Detection-HotwordsOLEObjectStatefulAnomalyOnDatabase.yaml
Solutions/Azure SQL Database solution for sentinel/Analytic Rules/Detection-HotwordsOutgoingStatefulAnomalyOnDatabase.yaml
Solutions/Azure SQL Database solution for sentinel/Analytic Rules/Detection-VolumeAffectedRowsStatefulAnomalyOnDatabase.yaml
Solutions/Azure SQL Database solution for sentinel/Analytic Rules/Detection-VolumeResponseRowsStatefulAnomalyOnDatabase.yaml
Solutions/Azure SQL Database solution for sentinel/Hunting Queries/HuntingQuery-AffectedRowAnomaly.yaml
Solutions/Azure SQL Database solution for sentinel/Hunting Queries/HuntingQuery-BooleanBlindSQLi.yaml
Solutions/Azure SQL Database solution for sentinel/Hunting Queries/HuntingQuery-ExecutionTimeAnomaly.yaml
Solutions/Azure SQL Database solution for sentinel/Hunting Queries/HuntingQuery-PrevalenceBasedQuerySizeAnomaly.yaml
Solutions/Azure SQL Database solution for sentinel/Hunting Queries/HuntingQuery-SuspiciousStoredProcedures.yaml
Solutions/Azure SQL Database solution for sentinel/Hunting Queries/HuntingQuery-TimeBasedQuerySizeAnomaly.yaml
Solutions/Azure SQL Database solution for sentinel/Hunting Queries/HuntingQuery-VolumeAffectedRowsStatefulAnomalyOnDatabase.yaml
Solutions/Azure SQL Database solution for sentinel/Hunting Queries/HuntingQuery-VolumeResponseRowsStatefulAnomalyOnDatabase.yaml
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json)