Forum Discussion
Solved
Affected rows stateful anomaly on database vs. Response rows stateful anomaly on database
Is there a difference between the two scheduled rules, "Affected rows stateful anomaly on database" and "Response rows stateful anomaly on database"? I can see that they have different descriptions:
- Affected rows stateful anomaly on database - To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows.
- Response rows stateful anomaly on database - To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows.
This tells me the alerts query should be different. However, when I compare the two they are exactly the same.
Found solution
Found solution
Hi lfg524,
Yes, there is a difference between the two. "Affected rows stateful anomaly" is meant to detect when data is changed or deleted, while "Response rows stateful anomaly" focuses on detecting when data is accessed, indicating possible data exfiltration. Even though the descriptions suggest different purposes, it's possible the queries are set up the same by mistake. You should verify and adjust the queries to match the intended purpose for each rule.
