LoFP / this event should only fire when an administrator is modifying the audit policy. which should be a rare occurrence once it's set up

Techniques

Sample rules

MSSQL Disable Audit Settings

• source: sigma
• technicques:

Description

Detects when an attacker calls the “ALTER SERVER AUDIT” or “DROP SERVER AUDIT” transaction in order to delete or disable audit logs on the server

Detection logic

condition: selection
selection:
  Data|contains:
  - statement:ALTER SERVER AUDIT
  - statement:DROP SERVER AUDIT
  EventID: 33205
  Provider_Name: MSSQLSERVER