Azure-Sentinel/Hunting Queries/SQLServer/SQL-UserRemovedFromServerRo...

id: 5dd79877-8066-4ce4-ae03-eedd8ebf04f8
name: User removed from SQL Server Roles
description: |
  This hunting query identifies user removed from a SQL Server Role.
  This query is based on the SQLEvent KQL Parser function (link below) 
  SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
  Detailed blog post on Monitoring SQL Server with Microsoft Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
requiredDataConnectors:
  - connectorId: AzureMonitor(WindowsEventLogs)
    dataTypes:
      - Event
tactics:
  - Persistence
  - PrivilegeEscalation
  - Impact
relevantTechniques:
  - T1098
  - T1078
  - T1496
query: |

        // SQLEvent is not the table name, it is the function name that should already be imported into your workspace.
        // The underlying table where the data exists is the Event table.
        // This query checks for user removed from a ServerRole
        SQLEvent
        | where Statement has "Alter Server role" and Statement has "drop member"
        | parse Statement with * "DROP MEMBER [" TargetUser:string "]" *
        | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement 
        | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP
Updated hunting queries as per Query Style Guide 2020-07-15 11:51:36 +03:00			`id: 5dd79877-8066-4ce4-ae03-eedd8ebf04f8`
			`name: User removed from SQL Server Roles`
			`description: \|`
			`This hunting query identifies user removed from a SQL Server Role.`
			`This query is based on the SQLEvent KQL Parser function (link below)`
			`SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever`
Updating the name from “Azure Sentinel” to “Microsoft Sentinel” for Detection and Hunting Queries. 2021-11-10 05:41:23 +03:00			`Detailed blog post on Monitoring SQL Server with Microsoft Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960`
Updated hunting queries as per Query Style Guide 2020-07-15 11:51:36 +03:00			`requiredDataConnectors:`
			`- connectorId: AzureMonitor(WindowsEventLogs)`
			`dataTypes:`
Updated Hunting Queries Update YAML validated hunting queries as per the guidelines and feedback 2020-07-21 11:41:29 +03:00			`- Event`
			`tactics:`
			`- Persistence`
			`- PrivilegeEscalation`
			`- Impact`
			`relevantTechniques:`
			`- T1098`
			`- T1078`
			`- T1496`
Updated hunting queries as per Query Style Guide 2020-07-15 11:51:36 +03:00			`query: \|`

Updated Hunting Queries Update YAML validated hunting queries as per the guidelines and feedback 2020-07-21 11:41:29 +03:00			`// SQLEvent is not the table name, it is the function name that should already be imported into your workspace.`
			`// The underlying table where the data exists is the Event table.`
Updated hunting queries as per Query Style Guide 2020-07-15 11:51:36 +03:00			`// This query checks for user removed from a ServerRole`
			`SQLEvent`
			`\| where Statement has "Alter Server role" and Statement has "drop member"`
Updated Hunting Queries Update YAML validated hunting queries as per the guidelines and feedback 2020-07-21 11:41:29 +03:00			`\| parse Statement with * "DROP MEMBER [" TargetUser:string "]" *`
			`\| project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement`
			`\| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP`