Skip to content

Infoblox

Microsoft SQL Server

About

Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet). Microsoft markets at least a dozen different editions of Microsoft SQL Server, aimed at different audiences and for workloads ranging from small single-machine applications to large Internet-facing applications with many concurrent users.

Product Details

Vendor URL: Microsoft SQL Server

Product Type: Database

Product Tier: Tier III

Integration Method: Syslog/json

Integration URL: How to Configure syslog Audit Logs

Log Guide: User Guide

Parser Details

Log Format: Syslog/JSON

Expected Normalization Rate: 90%

Data Label: MICROSOFT_SQL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
database_name target.resource.parent
database_principal_id principal.resource.product_object_id
database_principal_name principal.resource.name
db_name target.resource.name
dst_host target.hostname
dst_user target.user.userid
dst_user_role target.user.attribute.roles
dst_username target.asset.hostname
dst_username target.asset.hostname
event_type metadata.product_event_type
file_path target.file.full_path
kv_data_error.Error additional_error.value.string_value
kv_data_error.Severity additional_severity.value.string_value
kv_data_error.Severity _sr.severity_details
kv_data_error.State additional_state.value.string_value
kv.first_LSN additional_first_lsn.value.string_value
kv.last_LSN additional_last_lsn.value.string_value
kv.number_of_dump_devices additional_num_of_dump_devices.value.string_value
kv.pages_dumped additional_pagedump.value.string_value
ori_username principal.artifact.ip
reason metadata.description
server_instance_name target.hostname
server_principal_sid principal.process.pid
session_id network.session_id
sr_description_new _sr.description
statement _sr.description
statement target.process.command_line
sum_msg _sr.description
target_server_principal_id target.resource.product_object_id
target_server_principal_name target.resource.name

Product Event Types

Event UDM Event Classification
action_id =~ "AS" USER_RESOURCE_ACCESS
action_id =~ "CO" NETWORK_CONNECTION
action_id =~ "CR|APRL" USER_CREATION
action_id =~ "DL" FILE_DELETION
action_id =~ "DR" USER_UNCATEGORIZED
action_id =~ "G " USER_RESOURCE_ACCESS
action_id =~ "GRDB" USER_RESOURCE_UPDATE_PERMISSIONS
action_id =~ "GRDO" USER_RESOURCE_UPDATE_CONTENT
action_id =~ "LGIF" USER_LOGOUT
action_id =~ "LGIS" USER_LOGIN
action_id =~ "LGNM" USER_LOGOUT
action_id =~ "LGO" FILE_MOVE
action_id =~ "PWC" USER_CHANGE_PASSWORD
All non defined events GENERIC_EVENT

Log Sample

<13>Dec  8 16:01:01 SQL01 Log was backed up. Database: PermissionDB, creation date(time): 2022/04/08(11:41:58), first LSN: 51:37092:1, last LSN: 51:37096:1, number of dump devices: 1, device information: (FILE=1, TYPE=DISK: {'\\sqlstore\logbackup$\SQL01\Default\PermissionDB_backup_2022_11_11_123456_12345678.doc'}). This is an informational message only. No user action is required.

Sample Parsing

metadata.event_type = "FILE_SYNC"
metadata.vendor_name = "Microsoft"
metadata.product_name = "SQL Server"
metadata.product_event_type = "Log was backed up."
additional.fields["last LSN"] = "51:37096:1"
additional.fields["number of dump devices"] = "1"
additional.fields["first LSN"] = "51:37092:1"
additional.fields["Severity"] = ""
principal.hostname = "SQL01"
principal.asset.hostname = "SQL01"
principal.asset.creation_time.seconds = 1649418118
principal.asset.creation_time.nanos = 0
target.file.full_path = "'\\sqlstore\logbackup$\SQL01\Default\PermissionDB_backup_2022_11_11_123456_12345678.doc'"
security_result.summary = "No user action is required."
security_result.description = "This is an informational message only."
security_result.action = "UNKNOWN_ACTION"

Parser Alerting

This product currently does not have any Parser-based Alerting