Microsoft SQL

Version: Microsoft SQL Server 2012 or later.

Microsoft SQL Server is a relational database management system with several features and services. With this coverage, there is a large surface area for attack and vulnerabilities. Netsurion utilizes both server audit specifications and extended events to:

  • Address requirements for compliance
  • Analyze database actions to troubleshooting problems
  • Investigate suspicious user activity

Netsurion MS SQL reports provide information about database activities. By using these reports, we can examine user login success and login failures for further investigation, the reports can track the database changes in the tables, views, procedures, triggers, schema and track any SQL query errors.

Dashboards display a graphical representation of the database object changes and actions carried out on that object.

Through dashboards, we can also easily track multiple/brute force login failures. Alerts trigger when a user performs any changes on the database, database view, schema, user management, etc.

  • Security - User activities, extended event session management, SQL error events
  • Operations - DDL changes in database, trigger, view, index, and schema
  • Compliance - Password change events, user logon events, and permission to change events.

After Microsoft SQL Server is configured to deliver events to Netsurion, alerts, dashboards, and reports can be configured into Netsurion.

Alerts

Type Name Description
Security MSSQL - Audit created or deleted or modified This alert is generated when audit, audit specification and extended event session are created, deleted or modified.
Security MSSQL - User enabled or disabled or unlocked This alert is generated when an existing login is enabled, disabled or unlocked.
Security MSSQL - Database created or deleted or modified This alert is generated when a new database is created and older ones are deleted or modified.
Operations MSSQL - Schema created or deleted or modified This alert is generated when new database schema is created and older ones are deleted or modified.
Operations MSSQL - View created or deleted or modified This alert is generated when new database view is created and older ones are deleted or modified.
Operations MSSQL - Stored procedure created or deleted or modified This alert is generated when new stored procedure is created and older ones are deleted or modified.
Operations MSSQL - Table created or deleted or modified This alert is generated when new table is created and older ones are deleted, truncated or modified.
Operations MSSQL - Index created or deleted or modified - This alert is generated when new table view is created and older ones are deleted or modified.
Operations MSSQL - Trigger created or deleted or modified This alert is generated when new table or database trigger is created and older ones are deleted or modified.
Compliance MSSQL - Database and application role created or deleted or modified This alert is generated when new server or database role is created and older ones are deleted or modified.
Compliance MSSQL - Permission granted or revoked or denied This alert is generated when permission is granted, revoked or denied to a login or user.
Compliance MSSQL - User created or deleted or modified This alert is generated when new login, user or credential is created and older ones are deleted or modified.
Compliance MSSQL - User logon failure This alert is generated when an user fails to login SQL server.
Compliance MSSQL - User and application role password reset or changed This alert is generated when password is changed or reset for login, credential or application role.

Reports

Type Name Description
Security MSSQL - User enabled or disabled or unlocked This report provides information related to login account enable, disable and unlock which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields.
Security MSSQL - Extended event session created or deleted or modified This report provides information related to extended event session creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields.
Security MSSQL - Database backed up or restored This report provides information related to database backup and restore which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields.
Security MSSQL - Error details This report provides information related to errors generated by SQL which includes Client Name, User Name, Client Application Name and Message fields. This report can also be co-related with Microsoft IIS-Suspicions SQL Injection report to detect SQL based attacks.
Operations MSSQL - Database created or deleted or modified This report provides information related to database creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields.
Operations MSSQL - Table created or deleted or modified This report provides information related to table creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields.
Operations MSSQL - Stored procedure created or deleted or modified This report provides information related to stored procedure creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields.
Operations MSSQL - View created or deleted or modified This report provides information related to database view creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields.
Operations MSSQL - Index created or deleted or modified This report provides information related to table index creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields.
Operations MSSQL - Trigger created or deleted or modified This report provides information related to table and database trigger creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields.
Operations MSSQL - Schema created or deleted or modified This report provides information related to database schema creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields.
Operations MSSQL - Database backed up or restored This report provides information related to database backup and restore which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields.
Compliance MSSQL - User and application role password reset or changed This report provides information related to login, credential and application role creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields.
Compliance MSSQL - Database and application role created or deleted or modified This report provides information related to server, database and application role creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields.
Compliance MSSQL - Permission granted or revoked or denied This report provides information related to permission granted, revoked and denied to a user or login which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields.
Compliance MSSQL - User logon success This report provides information related to user logon success which includes Client Name, Client Address, User Name, Client Application Name and Authentication Type fields.
Compliance MSSQL - User logon failure This report provides information related to user logon failure which includes Client Name, Client Address, User Name, Client Application Name and Failure Reason fields.
Compliance MSSQL - User created or deleted or modified This report provides information related to login, user and credential creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields.

Documentation

The configuration details are consistent with Netsurion version 9.x and later, and Microsoft SQL Server 2012 and later.

Download Integration guide and How-to Guide for more information and to configuration instructions.

This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our Privacy Statement to learn more.

I Accept