Microsoft SQL
Version: Microsoft SQL Server 2012 or later.
Microsoft SQL Server is a relational database management system with several features and services. With this coverage, there is a large surface area for attack and vulnerabilities. Netsurion Open XDR utilizes both server audit specifications and extended events to:
- Address requirements for compliance
- Analyze database actions to troubleshooting problems
- Investigate suspicious user activity
Netsurion Open XDR MS SQL reports provide information about database activities. By using these reports, we can examine user login success and login failures for further investigation, the reports can track the database changes in the tables, views, procedures, triggers, schema and track any SQL query errors.
Dashboards display a graphical representation of the database object changes and actions carried out on that object.
Through dashboards, we can also easily track multiple/brute force login failures. Alerts trigger when a user performs any changes on the database, database view, schema, user management, etc.
- Security – User activities, extended event session management, SQL error events
- Operations – DDL changes in database, trigger, view, index, and schema
- Compliance – Password change events, user logon events, and permission to change events.
After Microsoft SQL Server is configured to deliver events to Netsurion Open XDR, alerts, dashboards, and reports can be configured into Netsurion Open XDR.
The following are the key Data Source Integration available in Netsurion Open XDR.
Alerts
| Type | Name | Description |
|---|---|---|
| Security | MSSQL – Audit created or deleted or modified | This alert is generated when audit, audit specification and extended event session are created, deleted or modified. |
| Security | MSSQL – User enabled or disabled or unlocked | This alert is generated when an existing login is enabled, disabled or unlocked. |
| Security | MSSQL – Database created or deleted or modified | This alert is generated when a new database is created and older ones are deleted or modified. |
| Operations | MSSQL – Schema created or deleted or modified | This alert is generated when new database schema is created and older ones are deleted or modified. |
| Operations | MSSQL – View created or deleted or modified | This alert is generated when new database view is created and older ones are deleted or modified. |
| Operations | MSSQL – Stored procedure created or deleted or modified | This alert is generated when new stored procedure is created and older ones are deleted or modified. |
| Operations | MSSQL – Table created or deleted or modified | This alert is generated when new table is created and older ones are deleted, truncated or modified. |
| Operations | MSSQL – Index created or deleted or modified | – This alert is generated when new table view is created and older ones are deleted or modified. |
| Operations | MSSQL – Trigger created or deleted or modified | This alert is generated when new table or database trigger is created and older ones are deleted or modified. |
| Compliance | MSSQL – Database and application role created or deleted or modified | This alert is generated when new server or database role is created and older ones are deleted or modified. |
| Compliance | MSSQL – Permission granted or revoked or denied | This alert is generated when permission is granted, revoked or denied to a login or user. |
| Compliance | MSSQL – User created or deleted or modified | This alert is generated when new login, user or credential is created and older ones are deleted or modified. |
| Compliance | MSSQL – User logon failure | This alert is generated when an user fails to login SQL server. |
| Compliance | MSSQL – User and application role password reset or changed | This alert is generated when password is changed or reset for login, credential or application role. |
Reports
| Type | Name | Description |
|---|---|---|
| Security | MSSQL – User enabled or disabled or unlocked | This report provides information related to login account enable, disable and unlock which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields. |
| Security | MSSQL – Extended event session created or deleted or modified | This report provides information related to extended event session creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields. |
| Security | MSSQL – Database backed up or restored | This report provides information related to database backup and restore which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields. |
| Security | MSSQL – Error details | This report provides information related to errors generated by SQL which includes Client Name, User Name, Client Application Name and Message fields. This report can also be co-related with Microsoft IIS-Suspicions SQL Injection report to detect SQL based attacks. |
| Operations | MSSQL – Database created or deleted or modified | This report provides information related to database creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields. |
| Operations | MSSQL – Table created or deleted or modified | This report provides information related to table creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields. |
| Operations | MSSQL – Stored procedure created or deleted or modified | This report provides information related to stored procedure creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields. |
| Operations | MSSQL – View created or deleted or modified | This report provides information related to database view creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields. |
| Operations | MSSQL – Index created or deleted or modified | This report provides information related to table index creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields. |
| Operations | MSSQL – Trigger created or deleted or modified | This report provides information related to table and database trigger creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields. |
| Operations | MSSQL – Schema created or deleted or modified | This report provides information related to database schema creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name, Event Category, Object Name and Query Text fields. |
| Operations | MSSQL – Database backed up or restored | This report provides information related to database backup and restore which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields. |
| Compliance | MSSQL – User and application role password reset or changed | This report provides information related to login, credential and application role creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields. |
| Compliance | MSSQL – Database and application role created or deleted or modified | This report provides information related to server, database and application role creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields. |
| Compliance | MSSQL – Permission granted or revoked or denied | This report provides information related to permission granted, revoked and denied to a user or login which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields. |
| Compliance | MSSQL – User logon success | This report provides information related to user logon success which includes Client Name, Client Address, User Name, Client Application Name and Authentication Type fields. |
| Compliance | MSSQL – User logon failure | This report provides information related to user logon failure which includes Client Name, Client Address, User Name, Client Application Name and Failure Reason fields. |
| Compliance | MSSQL – User created or deleted or modified | This report provides information related to login, user and credential creation, deletion and alteration which includes Client Name, User Name, Client Application Name, Database Name, Instance Name and Query Statement fields. |
Documentation
The configuration details are consistent with Netsurion Open XDR 9.x and later, and Microsoft SQL Server.
Download Integration guide and How-to Guide for configuration instructions and more information.