Database objects that either hold user or company data, as well as procedures or logic that define the functionality of a system, and people with permission on these objects, can all manipulate the structure and thus become a reason for data corruption or data theft on a continuous basis. And none of this can be tracked if auditing is not enabled.
Auditing should be implemented for all important tables, views, procedures, database links, and runtime logical flows that control certain functionality for business applications.
Logtitan SIEM has many built in database audit monitoring rules and also it is easy yo develop that kind of rules.
- Monitor for specific usernames logging into unapproved databases
- Monitor for specific usernames accessing to unapproved database tables
- A user VPNs to the network and then accesses a DB which holds PI data, notify,
- Monitor database logins against terminated employee users,
- Monitor if a VPN Accounts Logged in a machine and if there is a request from this machine to a DB which holds PI data,
- Monitor password changes,
- Monitoring of unauthorized logon attempts.