Infoblox¶
About¶
Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet). Microsoft markets at least a dozen different editions of Microsoft SQL Server, aimed at different audiences and for workloads ranging from small single-machine applications to large Internet-facing applications with many concurrent users.
Product Details¶
Vendor URL: Microsoft SQL Server
Product Type: Database
Product Tier: Tier III
Integration Method: Syslog/json
Integration URL: How to Configure syslog Audit Logs
Log Guide: User Guide
Parser Details¶
Log Format: Syslog/JSON
Expected Normalization Rate: 90%
Data Label: MICROSOFT_SQL
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
database_name | target.resource.parent |
database_principal_id | principal.resource.product_object_id |
database_principal_name | principal.resource.name |
db_name | target.resource.name |
dst_host | target.hostname |
dst_user | target.user.userid |
dst_user_role | target.user.attribute.roles |
dst_username | target.asset.hostname |
dst_username | target.asset.hostname |
event_type | metadata.product_event_type |
file_path | target.file.full_path |
kv_data_error.Error | additional_error.value.string_value |
kv_data_error.Severity | additional_severity.value.string_value |
kv_data_error.Severity | _sr.severity_details |
kv_data_error.State | additional_state.value.string_value |
kv.first_LSN | additional_first_lsn.value.string_value |
kv.last_LSN | additional_last_lsn.value.string_value |
kv.number_of_dump_devices | additional_num_of_dump_devices.value.string_value |
kv.pages_dumped | additional_pagedump.value.string_value |
ori_username | principal.artifact.ip |
reason | metadata.description |
server_instance_name | target.hostname |
server_principal_sid | principal.process.pid |
session_id | network.session_id |
sr_description_new | _sr.description |
statement | _sr.description |
statement | target.process.command_line |
sum_msg | _sr.description |
target_server_principal_id | target.resource.product_object_id |
target_server_principal_name | target.resource.name |
Product Event Types¶
Event | UDM Event Classification |
---|---|
action_id =~ "AS" | USER_RESOURCE_ACCESS |
action_id =~ "CO" | NETWORK_CONNECTION |
action_id =~ "CR|APRL" | USER_CREATION |
action_id =~ "DL" | FILE_DELETION |
action_id =~ "DR" | USER_UNCATEGORIZED |
action_id =~ "G " | USER_RESOURCE_ACCESS |
action_id =~ "GRDB" | USER_RESOURCE_UPDATE_PERMISSIONS |
action_id =~ "GRDO" | USER_RESOURCE_UPDATE_CONTENT |
action_id =~ "LGIF" | USER_LOGOUT |
action_id =~ "LGIS" | USER_LOGIN |
action_id =~ "LGNM" | USER_LOGOUT |
action_id =~ "LGO" | FILE_MOVE |
action_id =~ "PWC" | USER_CHANGE_PASSWORD |
All non defined events | GENERIC_EVENT |
Log Sample¶
<13>Dec 8 16:01:01 SQL01 Log was backed up. Database: PermissionDB, creation date(time): 2022/04/08(11:41:58), first LSN: 51:37092:1, last LSN: 51:37096:1, number of dump devices: 1, device information: (FILE=1, TYPE=DISK: {'\\sqlstore\logbackup$\SQL01\Default\PermissionDB_backup_2022_11_11_123456_12345678.doc'}). This is an informational message only. No user action is required.
Sample Parsing¶
metadata.event_type = "FILE_SYNC"
metadata.vendor_name = "Microsoft"
metadata.product_name = "SQL Server"
metadata.product_event_type = "Log was backed up."
additional.fields["last LSN"] = "51:37096:1"
additional.fields["number of dump devices"] = "1"
additional.fields["first LSN"] = "51:37092:1"
additional.fields["Severity"] = ""
principal.hostname = "SQL01"
principal.asset.hostname = "SQL01"
principal.asset.creation_time.seconds = 1649418118
principal.asset.creation_time.nanos = 0
target.file.full_path = "'\\sqlstore\logbackup$\SQL01\Default\PermissionDB_backup_2022_11_11_123456_12345678.doc'"
security_result.summary = "No user action is required."
security_result.description = "This is an informational message only."
security_result.action = "UNKNOWN_ACTION"
Parser Alerting¶
This product currently does not have any Parser-based Alerting