| CPC H04L 63/1416 (2013.01) [H04L 63/1425 (2013.01); H04L 63/20 (2013.01)] | 16 Claims |
|
1. A system comprising:
a processing unit;
a storage device comprising instructions, which when executed by the processing unit, configure the system to perform operations comprising:
detecting execution of a malicious SQL command at an SQL server;
receiving metadata associated with the indicator associated with the detected malicious SQL command, the metadata comprising:
the malicious SQL command,
a device identifier of a first computing device,
a process identifier associated with the malicious SQL command, and
a timestamp of the malicious SQL command execution;
receiving, from a second computing device, log activity data comprising:
a device identifier of the second computing device,
a process identifier and associated execution timestamp for a process executed on the second computing device, and
a user identifier associated with the process identifier;
matching the device identifier of the first computing device to the device identifier of the second computing device;
matching the process identifier and timestamp from the metadata with the process identifier and associated execution timestamp from the log activity data;
accessing the user identifier associated with the matched process identifier; and
transmitting an alert identifying the second computing device as a source of the malicious SQL command, and the accessed user identifier.
|