Skip to content

Azure MySQL

Overview

Azure Database for MySQL provides fully managed, enterprise-ready community MySQL database as a service. The service is developed and managed by Microsoft Corp.

  • Vendor: Microsoft Azure
  • Supported environment: SaaS
  • Detection based on: Telemetry
  • Supported application or feature: Authentication logs, Application logs

Configure

This setup guide will show you how to forward events produced by Azure MySQL service to Sekoia.io.

Theses changes have to be made from the Azure Web Portal.

Azure Event Hubs

As a prerequisite, you need to choose an existing resource group, or create a new one (e.g. company-resource-group).

Retrieve your Subscription ID

You also need your Subscription ID if you don't have a default one.

In Azure Web Portal:

  1. Navigate to: Home > Cost Management + Billing > Subscriptions
  2. From there, copy the relevant Subscription ID that will be used in the command line (e.g. uuid)

Create the Event Hubs

Use Azure PowerShell (within Cloud Shell interface for example) to create a namespace (e.g. company-eventhub) and a specific Event Hub (e.g. mysql-event) within your resource group (e.g. company-resource-group)

PS Azure:\> az eventhubs namespace create --name company-eventhub --resource-group company-resource-group --enable-kafka true --subscription uuid

PS Azure:\> az eventhubs eventhub create --resource-group company-resource-group --namespace-name company-eventhub --name mysql-event --message-retention 3 --partition-count 4 --subscription uuid

Info

Please replace :

  • company-resource-group with the name of your resource group
  • uuid with your subscription ID retrieved previously (see below)

Create “Shared Access Policies”

  1. Navigate to Home > Event Hubs> company-eventhub - Shared access policies

    • From there, you can create a policy (e.g. RootManageSharedAccessKey) with the claims Manage, Send and Listen and note the Primary Key that will be used as the SharedAccessKey

  2. Navigate to Home > Event Hubs > company-eventhub > mysql-event - Shared access policies

    • From there, you can create a policy (e.g. sekoiaio) with the claims Listen
    • Once created, click on the policy and save the Connection string-primary key, to be sent to Sekoia.io

  3. Navigate to Home> Event Hubs> company-eventhub> mysql-event - Consumer groups

    • From there, you can create a consumer group (e.g. sekoiaio)

Create a Blob Storage for Checkpointing

In order to allow Sekoia.io, keep track of the consumed events, the next step consists in creating a dedicated Azure Blob Storage.

To proceed, you can use Azure PowerShell:

PS Azure:\> az storage account create --name "sekoiaiocheckpoint" --resource-group "company-resource-group"

PS Azure:\> az storage container create --name "mysql-event" --account-name "sekoiaiocheckpoint"

Info

The container name, here mysql-event should be the same as the Event Hub’s one. You also need to replace company-resource-group with the name of your resource group.

Finally, you have to retrieve the connection string from Azure Web Portal by going in Storage Accounts, then in the created storage (sekoiaiocheckpoint) and finally in the Access Keys section. After clicking on Show keys, you can copy the first of the two connection strings.

Azure MySQL

You need to activate and configure the Azure MySQL diagnostic settings (e.g. company-mysql). To configure these settings, follow these steps:

  1. Navigate to Home > SQL databases (e.g. company-mysql) > Monitoring > Diagnostic settings
  2. Add a new diagnostic setting, select Stream to an event hub and click on Configure
  3. Select the previously created Event hubs, Event Hub and SharedAccessKey
  4. In the log section, select MySqlAuditLogs and MySqlSlowLogs
  5. Choose a name for this configuration and click on Save

Forward the Connection Keys to Sekoia.io

Finally, please send to Sekoia.io the following information:

  • Azure Event Hub’s Connection string-primary key (e.g. "Endpoint=sb://company-eventhub.servicebus.windows.net/;SharedAccessKeyName=sekoiaio;SharedAccessKey=XXXXXX;EntityPath=mysql-event")
  • Azure Event Hub’s consumer group name (e.g. sekoiaio)
  • Azure Blob Storage’s connection string (e.g. "DefaultEndpointsProtocol=https;AccountName=sekoiaiocheckpoint;AccountKey=XXXXX")

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

{
    "LogicalServerName": "abc",
    "SubscriptionId": "1072bad1-5e23-468e-9680-52177642cd13",
    "ResourceGroup": "group",
    "time": "2019-10-25T12:46:45Z",
    "resourceId": "/SUBSCRIPTIONS/1072BAD1-5E23-468E-9680-52177642CD13/RESOURCEGROUPS/group/PROVIDERS/MICROSOFT.DBFORMYSQL/SERVERS/abc",
    "category": "MySqlAuditLogs",
    "operationName": "LogEvent",
    "properties": {
        "event_class": "connection_log",
        "event_subclass": "CONNECT",
        "connection_id": 7304735,
        "host": "",
        "ip": "1.1.1.1",
        "user": "grafana",
        "db": "grafana"
    }
}

{
    "LogicalServerName": "abc",
    "SubscriptionId": "123",
    "ResourceGroup": "group",
    "time": "2019-10-25T12:46:45Z",
    "resourceId": "/SUBSCRIPTIONS/123/RESOURCEGROUPS/group/PROVIDERS/MICROSOFT.DBFORMYSQL/SERVERS/abc",
    "category": "MySqlAuditLogs",
    "operationName": "LogEvent",
    "properties": {
        "event_class": "connection_log",
        "event_subclass": "DISCONNECT",
        "connection_id": 7304732,
        "host": "",
        "ip": "1.1.1.1",
        "user": "grafana",
        "db": "grafana"
    }
}

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

The following Sekoia.io built-in rules match the intake Azure Database for MySQL. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Azure Database for MySQL on ATT&CK Navigator

Cryptomining

Detection of domain names potentially related to cryptomining activities.

  • Effort: master
Dynamic DNS Contacted

Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.

  • Effort: master
Exfiltration Domain

Detects traffic toward a domain flagged as a possible exfiltration vector.

  • Effort: master
Login Brute-Force Successful On SentinelOne EDR Management Console

A user has attempted to login several times (brute-force) on the SentinelOne EDR Management Console and succeeded to login.

  • Effort: master
Remote Access Tool Domain

Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).

  • Effort: master
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
Sekoia.io EICAR Detection

Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.

  • Effort: master
TOR Usage Generic Rule

Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Authentication logs user authentication events are parsed
Application logs SQL requests are analyzed

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

{
    "message": "{ \"LogicalServerName\": \"abc\", \"SubscriptionId\": \"1072bad1-5e23-468e-9680-52177642cd13\", \"ResourceGroup\": \"group\", \"time\": \"2019-10-25T12:46:45Z\", \"resourceId\": \"/SUBSCRIPTIONS/1072BAD1-5E23-468E-9680-52177642CD13/RESOURCEGROUPS/group/PROVIDERS/MICROSOFT.DBFORMYSQL/SERVERS/abc\", \"category\": \"MySqlAuditLogs\", \"operationName\": \"LogEvent\", \"properties\": {\"event_class\":\"connection_log\",\"event_subclass\":\"CONNECT\",\"connection_id\":7304735,\"host\":\"\",\"ip\":\"1.1.1.1\",\"user\":\"grafana\",\"db\":\"grafana\"}}",
    "event": {
        "outcome": "success"
    },
    "action": {
        "name": "CONNECT",
        "outcome": "success",
        "type": "connection_log"
    },
    "group": {
        "name": "group"
    },
    "host": {
        "hostname": "abc",
        "name": "abc"
    },
    "log": {
        "hostname": "abc"
    },
    "related": {
        "hosts": [
            "abc"
        ],
        "ip": [
            "1.1.1.1"
        ],
        "user": [
            "grafana"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    },
    "user": {
        "name": "grafana"
    }
}

{
    "message": "{ \"LogicalServerName\": \"abc\", \"SubscriptionId\": \"123\", \"ResourceGroup\": \"group\", \"time\": \"2019-10-25T12:46:45Z\", \"resourceId\": \"/SUBSCRIPTIONS/123/RESOURCEGROUPS/group/PROVIDERS/MICROSOFT.DBFORMYSQL/SERVERS/abc\", \"category\": \"MySqlAuditLogs\", \"operationName\": \"LogEvent\", \"properties\": {\"event_class\":\"connection_log\",\"event_subclass\":\"DISCONNECT\",\"connection_id\":7304732,\"host\":\"\",\"ip\":\"1.1.1.1\",\"user\":\"grafana\",\"db\":\"grafana\"}}",
    "event": {
        "outcome": "success"
    },
    "action": {
        "name": "DISCONNECT",
        "outcome": "success",
        "type": "connection_log"
    },
    "group": {
        "name": "group"
    },
    "host": {
        "hostname": "abc",
        "name": "abc"
    },
    "log": {
        "hostname": "abc"
    },
    "related": {
        "hosts": [
            "abc"
        ],
        "ip": [
            "1.1.1.1"
        ],
        "user": [
            "grafana"
        ]
    },
    "source": {
        "address": "1.1.1.1",
        "ip": "1.1.1.1"
    },
    "user": {
        "name": "grafana"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
group.name keyword Name of the group.
host.hostname keyword Hostname of the host.
source.ip ip IP address of the source.
user.name keyword Short name or login of the user.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.