Updated hunting queries as per Query Style Guide

2020-07-15 14:21:36 +05:30 · 2020-07-15 14:21:36 +05:30 · 8973eccbd7
--- a/Queries/SQLServer/SQL-Failed
+++ b/Queries/SQLServer/SQL-Failed
@ -0,0 +1,16 @@
+id: d98256d5-0c9a-4ffc-8618-66a3404412f8
+name: Failed Logon Attempts on SQL Server
+description: |
+  This query is based on the SQLEvent KQL Parser function (link below) and detects failed logons on SQL Server 
+  SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
+  Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
+requiredDataConnectors:
+  - connectorId: AzureMonitor(WindowsEventLogs)
+    dataTypes:
+      - Events
+query: |
+
+      SQLEvent
+      | where LogonResult has "failed"
+      | summarize count() by CurrentUser, Reason
+
--- a/Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml
+++ b/Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml
@ -0,0 +1,23 @@
+id: 72727649-6445-46a3-b249-997a009fad89
+name: Failed Logon on SQL Server from Same IPAddress in Short time Span
+description: |
+  This hunitng query identifies multiple failed logon attempts from same IP within short span of time.
+  This query is based on the SQLEvent KQL Parser function (link below)
+  SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
+  Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
+requiredDataConnectors:
+  - connectorId: AzureMonitor(WindowsEventLogs)
+    dataTypes:
+      - Events
+query: |
+
+        // the timeframe and threshold can be changed below as per requirement.
+        //
+        let TimeFrame = 10m;
+        let failedThreshold = 3;
+        SQLEvent
+        | where TimeGenerated > ago(TimeFrame) 
+        | where LogonResult has "failed"
+        | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalFailedLogons = count() by ClientIP, CurrentUser
+        | where TotalFailedLogons >= failedThreshold
+        | project ClientIP, TotalFailedLogons, CurrentUser
--- a/Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml
+++ b/Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml
@ -0,0 +1,23 @@
+id: aef212b5-c770-42e1-9abf-bc513e4e749c
+name: Multiple Failed Logon on SQL Server in Short time Span
+description: |
+  This hunting queries looks for multiple failed logon attempts in short span of time.
+  This query is based on the SQLEvent KQL Parser function (link below)
+  SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
+  Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
+requiredDataConnectors:
+  - connectorId: AzureMonitor(WindowsEventLogs)
+    dataTypes:
+      - Events
+query: |
+
+        // the timeframe and threshold can be changed below as per requirement
+        //
+        let TimeFrame = 10m;
+        let failedThreshold = 3;
+        SQLEvent
+        | where TimeGenerated > ago(TimeFrame) 
+        | where LogonResult has "failed"
+        | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalFailedLogons = count() by CurrentUser
+        | where TotalFailedLogons >= failedThreshold
+        | project CurrentUser, TotalFailedLogons
--- a/Queries/SQLServer/SQL-New_UserCreated.yaml
+++ b/Queries/SQLServer/SQL-New_UserCreated.yaml
@ -0,0 +1,22 @@
+id: 2b96760d-5307-44f0-94bd-8cf0ec52b1fb
+name: New User created on SQL Server
+description: |
+  This hunting query identifies creation of a new user from SQL Server
+  This query is based on the SQLEvent KQL Parser function (link below) 
+  SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
+  Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
+requiredDataConnectors:
+  - connectorId: AzureMonitor(WindowsEventLogs)
+    dataTypes:
+      - Events
+query: |
+
+        // This detection query is based on the SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
+        // Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
+        // This query checks for new user account created on SQL Server using the SQLEvent() parser
+        //
+        SQLEvent
+        | where Statement has "Create Login"
+        | parse Statement with "CREATE LOGIN [" TargetUser:string
+                              "]" *
+        | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement 
--- a/Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml
+++ b/Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml
@ -0,0 +1,20 @@
+id: 363ea6d1-b30d-4a44-b56a-63c3c8a99621
+name: User added to SQL Server SecurityAdmin Group
+description: |
+  This hunting query identifies user added in the SecurityAdmin group of SQL Server
+  This query is based on the SQLEvent KQL Parser function (link below)
+  SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
+  Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
+requiredDataConnectors:
+  - connectorId: AzureMonitor(WindowsEventLogs)
+    dataTypes:
+      - Events
+query: |
+
+        // This query tracks user added into SecurityAdmingroup
+        SQLEvent
+        | where Statement has "Alter Server role" and Statement has "add member"
+        | parse Statement with * "ADD MEMBER [" TargetUser:string
+                              "]" *
+        | where ObjectName has "securityadmin"
+        | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement 
--- a/Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml
+++ b/Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml
@ -0,0 +1,20 @@
+id: 7b8fa5f5-4f5b-4698-a4cf-720bbb215bea
+name: SQL User deleted from Database
+description: |
+  This hunting query identifies deletion of user from SQL Database
+  This query is based on the SQLEvent KQL Parser function (link below)
+  SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
+  Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
+requiredDataConnectors:
+  - connectorId: AzureMonitor(WindowsEventLogs)
+    dataTypes:
+      - Events
+query: |
+
+        // This query checks for user removed from a database by parsing the statement field at the query time.
+        //
+        SQLEvent
+        | where Statement has "Alter role" and Statement has "drop member"
+        | parse Statement with * "DROP MEMBER [" TargetUser:string
+                              "]" *
+        | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement 
--- a/Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml
+++ b/Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml
@ -0,0 +1,20 @@
+id: f35b879c-c836-4502-94f2-c76b7f06f02d
+name: User removed from SQL Server SecurityAdmin Group
+description: |
+  This hunting query identifies user removed from the SecurityAdmin group of SQL Server
+  This query is based on the SQLEvent KQL Parser function (link below) 
+  SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
+  Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
+requiredDataConnectors:
+  - connectorId: AzureMonitor(WindowsEventLogs)
+    dataTypes:
+      - Events
+query: |
+
+        // This query checks for user removed from SecurityAdmin Role
+        SQLEvent
+        | where Statement has "Alter Server role" and Statement has "drop member"
+        | parse Statement with * "DROP MEMBER [" TargetUser:string
+                              "]" *
+        | where ObjectName has "securityadmin"
+        | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement 
--- a/Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml
+++ b/Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml
@ -0,0 +1,19 @@
+id: 5dd79877-8066-4ce4-ae03-eedd8ebf04f8
+name: User removed from SQL Server Roles
+description: |
+  This hunting query identifies user removed from a SQL Server Role.
+  This query is based on the SQLEvent KQL Parser function (link below) 
+  SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
+  Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
+requiredDataConnectors:
+  - connectorId: AzureMonitor(WindowsEventLogs)
+    dataTypes:
+      - Events
+query: |
+
+        // This query checks for user removed from a ServerRole
+        SQLEvent
+        | where Statement has "Alter Server role" and Statement has "drop member"
+        | parse Statement with * "DROP MEMBER [" TargetUser:string
+                              "]" *
+        | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement 
--- a/Queries/SQLServer/SQL-UserRoleChanged.yaml
+++ b/Queries/SQLServer/SQL-UserRoleChanged.yaml
@ -0,0 +1,20 @@
+id: 80a420b3-6a97-4b8f-9d86-4b43ee522fb2
+name: User Role altered on SQL Server
+description: |
+  This hunting query identifies user role altered on SQL Server
+  This query is based on the SQLEvent KQL Parser function (link below) 
+  SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
+  Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
+requiredDataConnectors:
+  - connectorId: AzureMonitor(WindowsEventLogs)
+    dataTypes:
+      - Events
+query: |
+
+        // This query looking for Alter role commands and extracts username which was altered and target objectName
+        //
+        SQLEvent
+        | where Statement contains "Alter role" and Statement has "add member"
+        | parse Statement with * "ADD MEMBER [" TargetUser:string
+                              "]" *
+        | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement