SQL Server auditing and security using EventLog Analyzer

This tutorial helps you navigate the capabilities of EventLog Analyzer in auditing, monitoring, and securing Microsoft SQL Server.

Before you start viewing the audit reports, enabling the detection rules, and generating compliance reports, ensure that you've enabled logging in your SQL Server and added it for auditing in the EventLog Analyzer console.

Auditing SQL Server using EventLog Analyzer: Use cases

EventLog Analyzer covers the below SQL Server auditing use cases with its security auditing reports. These reports are predefined and can be scheduled to be generated at a specific time and distributed over email.

Use Case Description Why implement? Available Reports
DDL change monitoring Track all critical changes to SQL database structure including adding, altering tables, schemas, procedures, and views Improves data security, aids troubleshooting, and enables rollbacks
  • SQL Server Database Created
  • SQL Server Database Dropped
  • SQL Server Database Altered
  • SQL Server Table Created
  • SQL Server Table Dropped
  • SQL Server Table Altered
  • SQL Server Procedure Created
  • SQL Server Procedure Dropped
  • SQL Server Procedure Altered
  • SQL Server Schema Created
  • SQL Server Schema Dropped
  • SQL Server Schema Altered
DML change monitoring Track and audit modifications to data stored in the SQL database. Provides an audit trail for data modifications to ensure data integrity
  • SQL Server Tables Selected
  • SQL Server Tables Inserted
  • SQL Server Tables Updated
  • SQL Server Tables Deleted
  • SQL Server Schema Selected
  • SQL Server Schema Inserted
  • SQL Server Schema Updated
  • SQL Server Schema Deleted
  • SQL Server Execute Command
  • SQL Server Receive Command
  • SQL Server Check Reference Command
User account auditing Track changes to SQL Server user accounts such as user, login, password, and credential creation and deletion. Enhances security by identifying suspicious activity and enforces accountability
  • User Created
  • User Dropped
  • User Altered
  • Login Created
  • Login Dropped
  • Login Altered
  • DataBase Role Created
  • DataBase Role Dropped
  • DataBase Role Altered
  • Application Role Created
  • Application Role Dropped
  • Application Role Altered
  • Credential Created
  • Credential Dropped
  • Credential Altered
  • Own Password Changes
  • All Password Changes
  • Failed Own password changes
  • Password Changes
  • Password Changes Failed
  • Password Reset
  • Password Reset Failed
  • Own password resets
  • Failed Own password reset
  • Unlocked accounts
  • Enabled users
  • Disabled Users
SQL Server system auditing Tracks events and activities across the database server, including server configuration changes, resource usage, and critical system failures. Provides a comprehensive overview of system health, aids in security analytics, and helps identifying performance bottlenecks.
  • Database Backup Report
  • Database Restore
  • Database Backup Failed
  • Transaction Log Backup Reports
  • Admin Authority Changes Report
  • Permission Changes Report
  • Owner Changes Report
  • Created server roles
  • Dropped server roles
  • Altered server roles
  • Created Server Audits
  • Dropped Server Audits
  • Altered server audits
  • Created Server Audit Specifications
  • Dropped Server Audit Specifications
  • Altered Server Audit Specifications
  • Created Database Audit Specifications
  • Dropped Database Audit Specifications
  • Altered Database Audit Specifications
  • Changed Audit Sessions
  • Shutdown and Failure Audit
  • Trace Audit C2 On
  • Trace Audit C2 Off
  • Started Trace Audits
  • Stopped Trace Audits
  • Server Startups
  • Server shutdowns
  • Status Reports
  • Logons
  • Failed Logons
  • Logout Accounts
  • Top logons based on users
  • Top logons based on remote logons
  • Top failure logons based remote logons
  • Top Failure Logons based on users
  • Logons Trend
  • Failed Logons Trend
  • Event Trend report
SQL Server error tracking Audits errors encountered, including failure of backup, restoration, unexpected shutdown of the servers, and more. Assists in troubleshooting database issues, provides visibility into problematic queries, and facilitates proactive maintenance.
  • All Events
  • Important Events
  • Read Event Trend
  • Write Event Trend
  • Successful Trusted Logins
  • Successful Non-Trusted Logins
  • Failed User Logins
  • Insufficient Resources Events
User activity auditing Track user activities within databases, including logins and modifications performed by each user. Enhances security by detecting unauthorized accesses, modifications, or suspicious behaviors, and helps with compliance audits.
  • Database Backup Report
  • Database Restore
  • Database Backup Failed
  • Transaction Log Backup Report
  • Admin Authority Changes Report
  • Permission Changes Report
  • Owner Changes Report
  • Created server roles
  • Dropped server roles
  • Altered server roles
  • Created Server Audits
  • Dropped Server Audits
  • Altered server audits
  • Created Server Audit Specifications
  • Dropped Server Audit Specifications
  • Altered Server Audit Specifications
  • Created Database Audit Specifications
  • Dropped Database Audit Specifications
  • Altered Database Audit Specifications
  • Changed Audit Sessions
  • Shutdown and Failure Audits
  • Trace Audit C2 On
  • Trace Audit C2 Off
  • Started Trace Audits
  • Stopped Trace Audits
  • Server Startups
  • Server shutdowns
  • Status Reports
  • Logons
  • Failed Logons
  • Logout Accounts
  • Top logons based on users
  • Top logons based on remote devices
  • Top failure logons based on remote devices
  • Top Failure Logons based on users
  • Logons Trend
  • Failed Logons Trend
  • Event Trend report

Special auditing use cases: Account lockout analysis, audit log tampering, column integrity monitoring.

Securing SQL Server using EventLog Analyzer: Use cases

Threat detection

The below table lists the out-of-the-box threat detection use cases covered for SQL Sever by EventLog Analyzer. The solution also offers a custom correlation rule builder for creating detection rules by users. Please refer to the instructions here to build your own detection rules.

Use Case Event Type Relevant MITRE ATT&CK TTPs Detection Rules
SQL injection attack detection
  • Obfuscated Files or Information (T1027)
  • Query registry (T1012)
 Initial Access: T1190
  • SQL injection
  • Repeated SQL injection attempts
  • Suspicious SQL backup activity
Privilege abuse
  • Permission Groups Discovery (T1069)
  • Create Account (T1136)
 Privilege Escalation: T1068
  • Privilege abuse
  • Unauthorized copies of sensitive data
  • Privilege abuse detected
Denial of service attack detection
  • Resource Exhaustion (T1498)
  • External Remote Services (T1133)
  • Command and Scripting Interpreter (T1059)
 Network Denial of Service: T1464 Denial of service
Detecting access violation
  • Brute Force (T1110)
  • Masquerading (T1036)
  • Credential Dumping (T1003)
 Account Manipulation: T1098 Access violation
Detecting malicious access attempts
  • External Remote Services (T1133)
  • Brute Force (T1110)
  • Credential Dumping (T1003)
 Valid Accounts: T1078 Successful non-trusted logins

Data security

The below table elaborates the data security use cases covered by EventLog Analyzer for SQL Server.

Use case Event type Relevant MITRE ATT&CK TTPs Detection rules
Detecting unauthorized copies of sensitive data
  • Exfiltration Over Command and Control Channel (T1041)
  • Data from Local System (T1005)
  • Automated Collection (T1119)
 Data Manipulation: T1565 Unauthorized copies of sensitive data
Unauthorized sensitive data modification
  • Data Manipulation (T1565)
  • File Deletion (T1107)
  • Indicator Removal on Host (T1070)
 Data Manipulation: T1565 Integrity audit
Storage media exposure
  • Data from Removable Media (T1025)
  • Exfiltration Over Physical Medium (T1052)
  • Stored Data Manipulation: T1561.001
  • Hidden Files and Directories: T1564.003
  • Replication Through Removable Media: T1091
 Storage media exposure

Compliance use cases

Maintaining compliance goes beyond individual platforms. Auditing user activity isn't just for SQL Server, but for all devices, applications, and servers in your network. This table details how SQL Server's audit reports, rules, and alerts, analyzed by EventLog Analyzer, address specific compliance requirements. See the comprehensive solution mapping for a deeper dive.

Compliance requirement: Solution mapping for SQL Server

EventLog Analyzer capabilities Regulatory mandates Requirements
Summary reports and alerts Rules
  • SQL Server Privilege Abuse
  • SQL Server Unauthorized Copies of Sensitive Data
  • SQL Server Account Locked Out
  • SQL Server Storage Media Exposure
  • SQL Server SQL Injection
  • SQL Server Denial of Service
 Suspicious SQL backup activity SOX SEC 302 (a) (5) (A)
  • SQL Server Database Created
  • SQL Server Database Dropped
  • SQL Server Database Altered
  • SQL Server Table Created
  • SQL Server Table Dropped
  • SQL Server Table Altered
  • SQL Server Procedure Created
  • SQL Server Procedure Dropped
  • SQL Server Procedure Altered
  • SQL Server Schema Created
  • SQL Server Schema Dropped
  • SQL Server Schema Altered
  • SQL Server Privilege Abuse
  • SQL Server Unauthorized Copies of Sensitive Data
  • SQL Server Account Locked Out
  • SQL Server Storage Media Exposure
  • SQL Server SQL Injection
  • SQL Server Denial of Service
  • SQL Server Tables Selected
  • SQL Server Tables Inserted
  • SQL Server Tables Updated
  • SQL Server Tables Deleted
  • SQL Server Schema Selected
  • SQL Server Schema Inserted
  • SQL Server Schema Updated
  • SQL Server Schema Deleted
  • SQL Server Execute Command
  • SQL Server Receive Command
  • SQL Server Check Reference Command
  • Suspicious SQL backup activity
  • Repeated SQL injection attempts
 ISLP
  • ARTICLE 12
  • ARTICLE 13
  • ARTICLE 19.3
  • ARTICLE 20.5
  • ARTICLE 30.4
  • ARTICLE 30.6
GDPR
  • GDPR ARTICLE 5 (1B)
  • GDPR ARTICLE 5 (1D)
  • GDPR ARTICLE 5 (1F)
  • GDPR ARTICLE 32 (1D)
NRC
  • ACT B.1.6
  • ACT B.1.22
  • ACT B.2.6
  • ACT C.3.4
  • ACT C.3.7
  • ACT C.4.3
Cyber Essentials
  • 1. Secure Configuration
  • 2. User Access Control
COCO
  • 1.B.Secure Configuration
  • 1.D.Protective monitoring and intrusion detection
  • 2.Authentication and Access Contol
CCPA and CPRA Section 1798.150.(a)
NERC
  • CIP 005-6 R1.3
  • CIP 007-6 R4.1
  • CIP 007-6 R4.2
  • CIP 007-6 R5.3
  • CIP 007-6 R5.7
FERPA Section 99.31 (a)(1)(ii)
PDPA
  • RULE VI Section 25
  • RULE VII Section 30
NIST CSF Data Security (PR.DS)
CMMC
  • C001 - AC.1.001
  • C013 - CM.2.061
POPIA
  • Chapter 3 - Section 20 (1) (b)
  • Chapter 3 - Section 19 (2) (a)
QCF
  • 3.2 Endpoint Security Service
  • 4.2 Application Security Service
  • 4.6.2 Threat Modelling
  • 5.2.2 Network Access Control Management Service
  • 6.2 Data Protection Service
  • 6.8.3 Data at rest
  • 7.2 Change and Patch Management Service
  • 8.11 Security monitoring and operations strategy
TISAX
  • 4.1.2
  • 4.1.3
  • 4.2.1
  • 5.2.4
  • 5.2.7
SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.1.3 Cyber Security Risk Response
  • 3.3.5 Identity and Access Management
  • 3.3.7 Change Management
 

Additional Resource

Configuring MS SQL Server for Auditing in EventLog Analyzer SQL injection attack detection using EventLog Analyzer
 
 

Relevant Videos

SQL Auditing Using EventLog Analyzer