id: 5dd79877-8066-4ce4-ae03-eedd8ebf04f8
name: User removed from SQL Server Roles
description: |
  This hunting query identifies user removed from a SQL Server Role.
  This query is based on the SQLEvent KQL Parser function (link below) 
  SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
  Detailed blog post on Monitoring SQL Server with Microsoft Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
requiredDataConnectors:
  - connectorId: AzureMonitor(WindowsEventLogs)
    dataTypes:
      - Event
tactics:
  - Persistence
  - PrivilegeEscalation
  - Impact
relevantTechniques:
  - T1098
  - T1078
  - T1496
query: |

        // SQLEvent is not the table name, it is the function name that should already be imported into your workspace.
        // The underlying table where the data exists is the Event table.
        // This query checks for user removed from a ServerRole
        SQLEvent
        | where Statement has "Alter Server role" and Statement has "drop member"
        | parse Statement with * "DROP MEMBER [" TargetUser:string "]" *
        | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement 
        | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP