29 строки
1.4 KiB
YAML
29 строки
1.4 KiB
YAML
id: 5dd79877-8066-4ce4-ae03-eedd8ebf04f8
|
|
name: User removed from SQL Server Roles
|
|
description: |
|
|
This hunting query identifies user removed from a SQL Server Role.
|
|
This query is based on the SQLEvent KQL Parser function (link below)
|
|
SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
|
|
Detailed blog post on Monitoring SQL Server with Microsoft Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
|
|
requiredDataConnectors:
|
|
- connectorId: AzureMonitor(WindowsEventLogs)
|
|
dataTypes:
|
|
- Event
|
|
tactics:
|
|
- Persistence
|
|
- PrivilegeEscalation
|
|
- Impact
|
|
relevantTechniques:
|
|
- T1098
|
|
- T1078
|
|
- T1496
|
|
query: |
|
|
|
|
// SQLEvent is not the table name, it is the function name that should already be imported into your workspace.
|
|
// The underlying table where the data exists is the Event table.
|
|
// This query checks for user removed from a ServerRole
|
|
SQLEvent
|
|
| where Statement has "Alter Server role" and Statement has "drop member"
|
|
| parse Statement with * "DROP MEMBER [" TargetUser:string "]" *
|
|
| project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement
|
|
| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP |