25 строки
1.1 KiB
YAML
25 строки
1.1 KiB
YAML
id: d98256d5-0c9a-4ffc-8618-66a3404412f8
|
|
name: Failed Logon Attempts on SQL Server
|
|
description: |
|
|
This query is based on the SQLEvent KQL Parser function (link below) and detects failed logons on SQL Server
|
|
SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
|
|
Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
|
|
requiredDataConnectors:
|
|
- connectorId: AzureMonitor(WindowsEventLogs)
|
|
dataTypes:
|
|
- Event
|
|
tactics:
|
|
- CredentialAccess
|
|
relevantTechniques:
|
|
- T1110
|
|
query: |
|
|
|
|
// SQLEvent is not the table name, it is the function name that should already be imported into your workspace.
|
|
// The underlying table where the data exists is the Event table.
|
|
SQLEvent
|
|
| where TimeGenerated >= ago(1d)
|
|
| where LogonResult has "failed"
|
|
| summarize count() by TimeGenerated, CurrentUser, Reason, ClientIP
|
|
| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP
|
|
|