diff --git a/Hunting Queries/SQLServer/SQL-Failed SQL Logons.yaml b/Hunting Queries/SQLServer/SQL-Failed SQL Logons.yaml new file mode 100644 index 0000000000..3b573a0bf0 --- /dev/null +++ b/Hunting Queries/SQLServer/SQL-Failed SQL Logons.yaml @@ -0,0 +1,16 @@ +id: d98256d5-0c9a-4ffc-8618-66a3404412f8 +name: Failed Logon Attempts on SQL Server +description: | + This query is based on the SQLEvent KQL Parser function (link below) and detects failed logons on SQL Server + SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever + Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 +requiredDataConnectors: + - connectorId: AzureMonitor(WindowsEventLogs) + dataTypes: + - Events +query: | + + SQLEvent + | where LogonResult has "failed" + | summarize count() by CurrentUser, Reason + diff --git a/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml b/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml new file mode 100644 index 0000000000..cbe1f039ff --- /dev/null +++ b/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_FromSameIP.yaml @@ -0,0 +1,23 @@ +id: 72727649-6445-46a3-b249-997a009fad89 +name: Failed Logon on SQL Server from Same IPAddress in Short time Span +description: | + This hunitng query identifies multiple failed logon attempts from same IP within short span of time. + This query is based on the SQLEvent KQL Parser function (link below) + SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever + Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 +requiredDataConnectors: + - connectorId: AzureMonitor(WindowsEventLogs) + dataTypes: + - Events +query: | + + // the timeframe and threshold can be changed below as per requirement. + // + let TimeFrame = 10m; + let failedThreshold = 3; + SQLEvent + | where TimeGenerated > ago(TimeFrame) + | where LogonResult has "failed" + | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalFailedLogons = count() by ClientIP, CurrentUser + | where TotalFailedLogons >= failedThreshold + | project ClientIP, TotalFailedLogons, CurrentUser \ No newline at end of file diff --git a/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml b/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml new file mode 100644 index 0000000000..4dfca580ac --- /dev/null +++ b/Hunting Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml @@ -0,0 +1,23 @@ +id: aef212b5-c770-42e1-9abf-bc513e4e749c +name: Multiple Failed Logon on SQL Server in Short time Span +description: | + This hunting queries looks for multiple failed logon attempts in short span of time. + This query is based on the SQLEvent KQL Parser function (link below) + SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever + Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 +requiredDataConnectors: + - connectorId: AzureMonitor(WindowsEventLogs) + dataTypes: + - Events +query: | + + // the timeframe and threshold can be changed below as per requirement + // + let TimeFrame = 10m; + let failedThreshold = 3; + SQLEvent + | where TimeGenerated > ago(TimeFrame) + | where LogonResult has "failed" + | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalFailedLogons = count() by CurrentUser + | where TotalFailedLogons >= failedThreshold + | project CurrentUser, TotalFailedLogons \ No newline at end of file diff --git a/Hunting Queries/SQLServer/SQL-New_UserCreated.yaml b/Hunting Queries/SQLServer/SQL-New_UserCreated.yaml new file mode 100644 index 0000000000..ecf32473b1 --- /dev/null +++ b/Hunting Queries/SQLServer/SQL-New_UserCreated.yaml @@ -0,0 +1,22 @@ +id: 2b96760d-5307-44f0-94bd-8cf0ec52b1fb +name: New User created on SQL Server +description: | + This hunting query identifies creation of a new user from SQL Server + This query is based on the SQLEvent KQL Parser function (link below) + SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever + Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 +requiredDataConnectors: + - connectorId: AzureMonitor(WindowsEventLogs) + dataTypes: + - Events +query: | + + // This detection query is based on the SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever + // Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 + // This query checks for new user account created on SQL Server using the SQLEvent() parser + // + SQLEvent + | where Statement has "Create Login" + | parse Statement with "CREATE LOGIN [" TargetUser:string + "]" * + | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement \ No newline at end of file diff --git a/Hunting Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml b/Hunting Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml new file mode 100644 index 0000000000..7904c36b81 --- /dev/null +++ b/Hunting Queries/SQLServer/SQL-UserAdded_to_SecurityAdmin.yaml @@ -0,0 +1,20 @@ +id: 363ea6d1-b30d-4a44-b56a-63c3c8a99621 +name: User added to SQL Server SecurityAdmin Group +description: | + This hunting query identifies user added in the SecurityAdmin group of SQL Server + This query is based on the SQLEvent KQL Parser function (link below) + SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever + Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 +requiredDataConnectors: + - connectorId: AzureMonitor(WindowsEventLogs) + dataTypes: + - Events +query: | + + // This query tracks user added into SecurityAdmingroup + SQLEvent + | where Statement has "Alter Server role" and Statement has "add member" + | parse Statement with * "ADD MEMBER [" TargetUser:string + "]" * + | where ObjectName has "securityadmin" + | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement \ No newline at end of file diff --git a/Hunting Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml b/Hunting Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml new file mode 100644 index 0000000000..5be147be8e --- /dev/null +++ b/Hunting Queries/SQLServer/SQL-UserDeletedFromDatabase.yaml @@ -0,0 +1,20 @@ +id: 7b8fa5f5-4f5b-4698-a4cf-720bbb215bea +name: SQL User deleted from Database +description: | + This hunting query identifies deletion of user from SQL Database + This query is based on the SQLEvent KQL Parser function (link below) + SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever + Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 +requiredDataConnectors: + - connectorId: AzureMonitor(WindowsEventLogs) + dataTypes: + - Events +query: | + + // This query checks for user removed from a database by parsing the statement field at the query time. + // + SQLEvent + | where Statement has "Alter role" and Statement has "drop member" + | parse Statement with * "DROP MEMBER [" TargetUser:string + "]" * + | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement \ No newline at end of file diff --git a/Hunting Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml b/Hunting Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml new file mode 100644 index 0000000000..255313a445 --- /dev/null +++ b/Hunting Queries/SQLServer/SQL-UserRemovedFromSecurityAdmin.yaml @@ -0,0 +1,20 @@ +id: f35b879c-c836-4502-94f2-c76b7f06f02d +name: User removed from SQL Server SecurityAdmin Group +description: | + This hunting query identifies user removed from the SecurityAdmin group of SQL Server + This query is based on the SQLEvent KQL Parser function (link below) + SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever + Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 +requiredDataConnectors: + - connectorId: AzureMonitor(WindowsEventLogs) + dataTypes: + - Events +query: | + + // This query checks for user removed from SecurityAdmin Role + SQLEvent + | where Statement has "Alter Server role" and Statement has "drop member" + | parse Statement with * "DROP MEMBER [" TargetUser:string + "]" * + | where ObjectName has "securityadmin" + | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement \ No newline at end of file diff --git a/Hunting Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml b/Hunting Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml new file mode 100644 index 0000000000..d12f0b0e75 --- /dev/null +++ b/Hunting Queries/SQLServer/SQL-UserRemovedFromServerRole.yaml @@ -0,0 +1,19 @@ +id: 5dd79877-8066-4ce4-ae03-eedd8ebf04f8 +name: User removed from SQL Server Roles +description: | + This hunting query identifies user removed from a SQL Server Role. + This query is based on the SQLEvent KQL Parser function (link below) + SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever + Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 +requiredDataConnectors: + - connectorId: AzureMonitor(WindowsEventLogs) + dataTypes: + - Events +query: | + + // This query checks for user removed from a ServerRole + SQLEvent + | where Statement has "Alter Server role" and Statement has "drop member" + | parse Statement with * "DROP MEMBER [" TargetUser:string + "]" * + | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement \ No newline at end of file diff --git a/Hunting Queries/SQLServer/SQL-UserRoleChanged.yaml b/Hunting Queries/SQLServer/SQL-UserRoleChanged.yaml new file mode 100644 index 0000000000..eeea0c1cfb --- /dev/null +++ b/Hunting Queries/SQLServer/SQL-UserRoleChanged.yaml @@ -0,0 +1,20 @@ +id: 80a420b3-6a97-4b8f-9d86-4b43ee522fb2 +name: User Role altered on SQL Server +description: | + This hunting query identifies user role altered on SQL Server + This query is based on the SQLEvent KQL Parser function (link below) + SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever + Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960 +requiredDataConnectors: + - connectorId: AzureMonitor(WindowsEventLogs) + dataTypes: + - Events +query: | + + // This query looking for Alter role commands and extracts username which was altered and target objectName + // + SQLEvent + | where Statement contains "Alter role" and Statement has "add member" + | parse Statement with * "ADD MEMBER [" TargetUser:string + "]" * + | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement