Proofpoint | ObserveIT On-Premises Insider Threat Management

Executed SQL Command

This topic describes how to define alert rule conditions using the options available in the Executed SQL Command group category in the Did what? section of the Create Alert Rule page. (For more about the Did what? section, see Defining the "Did What?" Conditions.)

This option is available only for alert type rules on Windows operating systems.

The Executed SQL Command option enables you to define a rule by running SQL statements containing specific keywords that you want to find.

Use the Executed SQL Command option to generate an alert when a user executes a particular SQL command against a database. This can help track when a user accesses a database and performs a potentially harmful activity, or even when a DBA performs certain actions at unusual hours or on particularly sensitive data; for example, when a user runs the "SELECT" statement in the middle of the night in an attempt to steal company data.

See Auditing DBA Activity for details about monitoring SQL queries executed by DBAs against production databases.

For example, if you want to generate an alert on a user trying to access a list of credit cards in a customer's database, you might specify the following SQL statement conditions:

"Executed SQL Command: Statement contains update, drop"
AND "Executed SQL Command: Statement contains CREDIT_CARD"

An alert is generated when each command is used uniquely the first time in a session (for example, DROP TABLE CREDIT_CARD). The rule recognizes exact usage of the command and will not generate an alert upon a second execution in the same session.

However, if any values change, a separate alert is generated upon each unique instance. For example, this rule will trigger two separate alerts for the following two instances where the UPDATE CREDIT_CARD command is executed in the same session but with different values assigned:

UPDATE CREDIT_CARD

SET Blocked = 1

WHERE CreditCardNumber = 6542789512345614

UPDATE CREDIT_CARD

SET Blocked = 1

WHERE CreditCardNumber = 1234561234561234

Executing SQL commands could seriously impact the database. Therefore, it is important to create a rule with this criteria to alert whenever any changes are made to the database.