29 строки
1.4 KiB
YAML
29 строки
1.4 KiB
YAML
id: 80a420b3-6a97-4b8f-9d86-4b43ee522fb2
|
|
name: User Role altered on SQL Server
|
|
description: |
|
|
This hunting query identifies user role altered on SQL Server
|
|
This query is based on the SQLEvent KQL Parser function (link below)
|
|
SQLEvent KQL Parser provided at https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/SQLSever
|
|
Detailed blog post on Monitoring SQL Server with Azure Sentinel https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960
|
|
requiredDataConnectors:
|
|
- connectorId: AzureMonitor(WindowsEventLogs)
|
|
dataTypes:
|
|
- Event
|
|
tactics:
|
|
- Persistence
|
|
- PrivilegeEscalation
|
|
relevantTechniques:
|
|
- T1098
|
|
- T1078
|
|
query: |
|
|
|
|
// SQLEvent is not the table name, it is the function name that should already be imported into your workspace.
|
|
// The underlying table where the data exists is the Event table.
|
|
// This query looking for Alter role commands and extracts username which was altered and target objectName
|
|
SQLEvent
|
|
| where TimeGenerated >= ago(1d)
|
|
| where Statement contains "Alter role" and Statement has "add member"
|
|
| parse Statement with * "ADD MEMBER [" TargetUser:string "]" *
|
|
| project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement
|
|
| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP
|