MS SQL server DB audit repackaged
This commit is contained in:
v-shukore
Родитель
f2d0a6da5f
Коммит
827a9f09c9
|
|
@ -2,8 +2,6 @@ id: d98256d5-0c9a-4ffc-8618-66a3404412f8
|
|||
name: Failed Logon Attempts on SQL Server
|
||||
description: |
|
||||
This query detects failed logons on SQL Server using the SQLEvent KQL Parser function.
|
||||
Link: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
|
||||
refer blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com
|
||||
description-detailed: |
|
||||
This query is based on the SQLEvent KQL Parser function (link below) and detects failed logons on SQL Server
|
||||
SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@ id: 72727649-6445-46a3-b249-997a009fad89
|
|||
name: Failed Logon on SQL Server from Same IPAddress in Short time Span
|
||||
description: |
|
||||
This query detects multiple failed logon attempts from the same IP within a short span of time. It relies on the SQLEvent KQL Parser function.
|
||||
For more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com
|
||||
description-detailed: |
|
||||
This hunting query identifies multiple failed logon attempts from same IP within short span of time.
|
||||
This query is based on the SQLEvent KQL Parser function (link below)
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@ id: aef212b5-c770-42e1-9abf-bc513e4e749c
|
|||
name: Multiple Failed Logon on SQL Server in Short time Span
|
||||
description: |
|
||||
This query looks multiple failed logon attempts from the same IP within a short span of time. It relies on the SQLEvent KQL Parser function.
|
||||
For more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com
|
||||
description-detailed: |
|
||||
This hunting queries looks for multiple failed logon attempts in short span of time.
|
||||
This query is based on the SQLEvent KQL Parser function (link below)
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@ id: 2b96760d-5307-44f0-94bd-8cf0ec52b1fb
|
|||
name: New User created on SQL Server
|
||||
description: |
|
||||
This query detects new user creation from SQL Server using the SQLEvent KQL Parser function.
|
||||
For more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com
|
||||
description-detailed: |
|
||||
This hunting query identifies creation of a new user from SQL Server
|
||||
This query is based on the SQLEvent KQL Parser function (link below)
|
||||
|
|
|
|||
|
|
@ -1,8 +1,7 @@
|
|||
id: 363ea6d1-b30d-4a44-b56a-63c3c8a99621
|
||||
name: User added to SQL Server SecurityAdmin Group
|
||||
description: |
|
||||
This hunting query identifies user added in the SecurityAdmin group of SQL Server
|
||||
For more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com
|
||||
This hunting query identifies user added in the SecurityAdmin group of SQL Server.
|
||||
description-detailed: |
|
||||
This hunting query identifies user added in the SecurityAdmin group of SQL Server
|
||||
This query is based on the SQLEvent KQL Parser function (link below)
|
||||
|
|
|
|||
|
|
@ -1,8 +1,7 @@
|
|||
id: 7b8fa5f5-4f5b-4698-a4cf-720bbb215bea
|
||||
name: SQL User deleted from Database
|
||||
description: |
|
||||
This hunting query identifies deletion of user from SQL Database
|
||||
For more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com
|
||||
This hunting query identifies deletion of user from SQL Database. It relies on the SQLEvent KQL Parser function.
|
||||
description-detailed: |
|
||||
This hunting query identifies deletion of user from SQL Database
|
||||
This query is based on the SQLEvent KQL Parser function (link below)
|
||||
|
|
|
|||
|
|
@ -1,8 +1,7 @@
|
|||
id: f35b879c-c836-4502-94f2-c76b7f06f02d
|
||||
name: User removed from SQL Server SecurityAdmin Group
|
||||
description: |
|
||||
This hunting query identifies user removed from the SecurityAdmin group of SQL Server
|
||||
For more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com
|
||||
This hunting query identifies user removed from the SecurityAdmin group of SQL Server. It relies on the SQLEvent KQL Parser function.
|
||||
description-detailed: |
|
||||
This hunting query identifies user removed from the SecurityAdmin group of SQL Server
|
||||
This query is based on the SQLEvent KQL Parser function (link below)
|
||||
|
|
|
|||
|
|
@ -1,8 +1,7 @@
|
|||
id: 5dd79877-8066-4ce4-ae03-eedd8ebf04f8
|
||||
name: User removed from SQL Server Roles
|
||||
description: |
|
||||
This hunting query identifies user removed from a SQL Server Role.
|
||||
For more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com
|
||||
This hunting query identifies user removed from a SQL Server Role. It relies on the SQLEvent KQL Parser function.
|
||||
description-detailed: |
|
||||
This hunting query identifies user removed from a SQL Server Role.
|
||||
This query is based on the SQLEvent KQL Parser function (link below)
|
||||
|
|
|
|||
|
|
@ -1,8 +1,7 @@
|
|||
id: 80a420b3-6a97-4b8f-9d86-4b43ee522fb2
|
||||
name: User Role altered on SQL Server
|
||||
description: |
|
||||
This hunting query identifies user role altered on SQL Server
|
||||
For more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com
|
||||
This hunting query identifies user role altered on SQL Server. It relies on the SQLEvent KQL Parser function.
|
||||
description-detailed: |
|
||||
This hunting query identifies user role altered on SQL Server
|
||||
This query is based on the SQLEvent KQL Parser function (link below)
|
||||
|
|
|
|||
Двоичный файл не отображается.
|
|
@ -82,7 +82,7 @@
|
|||
"name": "huntingquery1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This query detects failed logons on SQL Server using the SQLEvent KQL Parser function. \nLink: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever\nrefer blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
"text": "This query detects failed logons on SQL Server using the SQLEvent KQL Parser function. This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -96,7 +96,7 @@
|
|||
"name": "huntingquery2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This query detects multiple failed logon attempts from the same IP within a short span of time. It relies on the SQLEvent KQL Parser function. \nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
"text": "This query detects multiple failed logon attempts from the same IP within a short span of time. It relies on the SQLEvent KQL Parser function. This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -110,7 +110,7 @@
|
|||
"name": "huntingquery3-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This query looks multiple failed logon attempts from the same IP within a short span of time. It relies on the SQLEvent KQL Parser function. \nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
"text": "This query looks multiple failed logon attempts from the same IP within a short span of time. It relies on the SQLEvent KQL Parser function. This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -124,7 +124,7 @@
|
|||
"name": "huntingquery4-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This query detects new user creation from SQL Server using the SQLEvent KQL Parser function.\nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
"text": "This query detects new user creation from SQL Server using the SQLEvent KQL Parser function. This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -138,7 +138,7 @@
|
|||
"name": "huntingquery5-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This hunting query identifies user added in the SecurityAdmin group of SQL Server\nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
"text": "This hunting query identifies user added in the SecurityAdmin group of SQL Server. This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -152,7 +152,7 @@
|
|||
"name": "huntingquery6-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This hunting query identifies deletion of user from SQL Database\nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
"text": "This hunting query identifies deletion of user from SQL Database. It relies on the SQLEvent KQL Parser function. This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -166,7 +166,7 @@
|
|||
"name": "huntingquery7-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This hunting query identifies user removed from the SecurityAdmin group of SQL Server\nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
"text": "This hunting query identifies user removed from the SecurityAdmin group of SQL Server. It relies on the SQLEvent KQL Parser function. This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -180,7 +180,7 @@
|
|||
"name": "huntingquery8-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This hunting query identifies user removed from a SQL Server Role.\n For more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
"text": "This hunting query identifies user removed from a SQL Server Role. It relies on the SQLEvent KQL Parser function. This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
@ -194,7 +194,7 @@
|
|||
"name": "huntingquery9-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This hunting query identifies user role altered on SQL Server\nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
"text": "This hunting query identifies user role altered on SQL Server. It relies on the SQLEvent KQL Parser function. This hunting query depends on AzureMonitor(WindowsEventLogs) data connector (Event Parser or Table)"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -112,7 +112,7 @@
|
|||
"tags": [
|
||||
{
|
||||
"name": "description",
|
||||
"value": "This query detects failed logons on SQL Server using the SQLEvent KQL Parser function. \nLink: https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever\nrefer blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com"
|
||||
"value": "This query detects failed logons on SQL Server using the SQLEvent KQL Parser function."
|
||||
},
|
||||
{
|
||||
"name": "tactics",
|
||||
|
|
@ -195,7 +195,7 @@
|
|||
"tags": [
|
||||
{
|
||||
"name": "description",
|
||||
"value": "This query detects multiple failed logon attempts from the same IP within a short span of time. It relies on the SQLEvent KQL Parser function. \nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com"
|
||||
"value": "This query detects multiple failed logon attempts from the same IP within a short span of time. It relies on the SQLEvent KQL Parser function."
|
||||
},
|
||||
{
|
||||
"name": "tactics",
|
||||
|
|
@ -278,7 +278,7 @@
|
|||
"tags": [
|
||||
{
|
||||
"name": "description",
|
||||
"value": "This query looks multiple failed logon attempts from the same IP within a short span of time. It relies on the SQLEvent KQL Parser function. \nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com"
|
||||
"value": "This query looks multiple failed logon attempts from the same IP within a short span of time. It relies on the SQLEvent KQL Parser function."
|
||||
},
|
||||
{
|
||||
"name": "tactics",
|
||||
|
|
@ -361,7 +361,7 @@
|
|||
"tags": [
|
||||
{
|
||||
"name": "description",
|
||||
"value": "This query detects new user creation from SQL Server using the SQLEvent KQL Parser function.\nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com"
|
||||
"value": "This query detects new user creation from SQL Server using the SQLEvent KQL Parser function."
|
||||
},
|
||||
{
|
||||
"name": "tactics",
|
||||
|
|
@ -444,7 +444,7 @@
|
|||
"tags": [
|
||||
{
|
||||
"name": "description",
|
||||
"value": "This hunting query identifies user added in the SecurityAdmin group of SQL Server\nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com"
|
||||
"value": "This hunting query identifies user added in the SecurityAdmin group of SQL Server."
|
||||
},
|
||||
{
|
||||
"name": "tactics",
|
||||
|
|
@ -527,7 +527,7 @@
|
|||
"tags": [
|
||||
{
|
||||
"name": "description",
|
||||
"value": "This hunting query identifies deletion of user from SQL Database\nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com"
|
||||
"value": "This hunting query identifies deletion of user from SQL Database. It relies on the SQLEvent KQL Parser function."
|
||||
},
|
||||
{
|
||||
"name": "tactics",
|
||||
|
|
@ -610,7 +610,7 @@
|
|||
"tags": [
|
||||
{
|
||||
"name": "description",
|
||||
"value": "This hunting query identifies user removed from the SecurityAdmin group of SQL Server\nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com"
|
||||
"value": "This hunting query identifies user removed from the SecurityAdmin group of SQL Server. It relies on the SQLEvent KQL Parser function."
|
||||
},
|
||||
{
|
||||
"name": "tactics",
|
||||
|
|
@ -693,7 +693,7 @@
|
|||
"tags": [
|
||||
{
|
||||
"name": "description",
|
||||
"value": "This hunting query identifies user removed from a SQL Server Role.\n For more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com"
|
||||
"value": "This hunting query identifies user removed from a SQL Server Role. It relies on the SQLEvent KQL Parser function."
|
||||
},
|
||||
{
|
||||
"name": "tactics",
|
||||
|
|
@ -776,7 +776,7 @@
|
|||
"tags": [
|
||||
{
|
||||
"name": "description",
|
||||
"value": "This hunting query identifies user role altered on SQL Server\nFor more details, check blog post on Monitoring SQL Server with Microsoft Sentinel techcommunity.microsoft.com"
|
||||
"value": "This hunting query identifies user role altered on SQL Server. It relies on the SQLEvent KQL Parser function."
|
||||
},
|
||||
{
|
||||
"name": "tactics",
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче