Infoblox¶

Microsoft SQL Server

About¶

Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet). Microsoft markets at least a dozen different editions of Microsoft SQL Server, aimed at different audiences and for workloads ranging from small single-machine applications to large Internet-facing applications with many concurrent users.

Product Details¶

Vendor URL: Microsoft SQL Server

Product Type: Database

Product Tier: Tier III

Integration Method: Syslog/json

Integration URL: How to Configure syslog Audit Logs

Log Guide: User Guide

Parser Details¶

Log Format: Syslog/JSON

Expected Normalization Rate: 90%

Data Label: MICROSOFT_SQL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field	UDM Field
database_name	target.resource.parent
database_principal_id	principal.resource.product_object_id
database_principal_name	principal.resource.name
db_name	target.resource.name
dst_host	target.hostname
dst_user	target.user.userid
dst_user_role	target.user.attribute.roles
dst_username	target.asset.hostname
dst_username	target.asset.hostname
event_type	metadata.product_event_type
file_path	target.file.full_path
kv_data_error.Error	additional_error.value.string_value
kv_data_error.Severity	additional_severity.value.string_value
kv_data_error.Severity	_sr.severity_details
kv_data_error.State	additional_state.value.string_value
kv.first_LSN	additional_first_lsn.value.string_value
kv.last_LSN	additional_last_lsn.value.string_value
kv.number_of_dump_devices	additional_num_of_dump_devices.value.string_value
kv.pages_dumped	additional_pagedump.value.string_value
ori_username	principal.artifact.ip
reason	metadata.description
server_instance_name	target.hostname
server_principal_sid	principal.process.pid
session_id	network.session_id
sr_description_new	_sr.description
statement	_sr.description
statement	target.process.command_line
sum_msg	_sr.description
target_server_principal_id	target.resource.product_object_id
target_server_principal_name	target.resource.name

Product Event Types¶

Event	UDM Event Classification
action_id =~ "AS"	USER_RESOURCE_ACCESS
action_id =~ "CO"	NETWORK_CONNECTION
action_id =~ "CR\|APRL"	USER_CREATION
action_id =~ "DL"	FILE_DELETION
action_id =~ "DR"	USER_UNCATEGORIZED
action_id =~ "G "	USER_RESOURCE_ACCESS
action_id =~ "GRDB"	USER_RESOURCE_UPDATE_PERMISSIONS
action_id =~ "GRDO"	USER_RESOURCE_UPDATE_CONTENT
action_id =~ "LGIF"	USER_LOGOUT
action_id =~ "LGIS"	USER_LOGIN
action_id =~ "LGNM"	USER_LOGOUT
action_id =~ "LGO"	FILE_MOVE
action_id =~ "PWC"	USER_CHANGE_PASSWORD
All non defined events	GENERIC_EVENT

Log Sample¶

<13>Dec  8 16:01:01 SQL01 Log was backed up. Database: PermissionDB, creation date(time): 2022/04/08(11:41:58), first LSN: 51:37092:1, last LSN: 51:37096:1, number of dump devices: 1, device information: (FILE=1, TYPE=DISK: {'\\sqlstore\logbackup$\SQL01\Default\PermissionDB_backup_2022_11_11_123456_12345678.doc'}). This is an informational message only. No user action is required.

Sample Parsing¶

metadata.event_type = "FILE_SYNC"
metadata.vendor_name = "Microsoft"
metadata.product_name = "SQL Server"
metadata.product_event_type = "Log was backed up."
additional.fields["last LSN"] = "51:37096:1"
additional.fields["number of dump devices"] = "1"
additional.fields["first LSN"] = "51:37092:1"
additional.fields["Severity"] = ""
principal.hostname = "SQL01"
principal.asset.hostname = "SQL01"
principal.asset.creation_time.seconds = 1649418118
principal.asset.creation_time.nanos = 0
target.file.full_path = "'\\sqlstore\logbackup$\SQL01\Default\PermissionDB_backup_2022_11_11_123456_12345678.doc'"
security_result.summary = "No user action is required."
security_result.description = "This is an informational message only."
security_result.action = "UNKNOWN_ACTION"

Parser Alerting¶

This product currently does not have any Parser-based Alerting

Rules¶

Coming Soon