Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Catch All : MSSQLSERVER Messages |
Base Rule |
General MSSQLSERVER Information |
Operations : Information |
|
ACCESS |
Sub Rule |
General Access |
Other Audit Success |
|
ADD MEMBER |
Sub Rule |
Account Added To Group |
Access Granted |
|
ALTER |
Sub Rule |
Alter Access Method Success |
Other Audit Success |
|
ALTER CONNECTION |
Sub Rule |
Connection Information |
Information |
|
ALTER RESOURCES |
Sub Rule |
General Information |
Information |
|
ALTER SERVER STATE |
Sub Rule |
General Information |
Information |
|
ALTER SETTINGS |
Sub Rule |
General Information |
Information |
|
ALTER TRACE |
Sub Rule |
General Information |
Information |
|
APPLICATION ROLE CHANGE PASSWORD GROUP |
Sub Rule |
Object Modified |
Access Success |
|
AUDIT CHANGE GROUP |
Sub Rule |
Policy Modified : Auditing |
Policy |
|
AUDIT SESSION CHANGED |
Sub Rule |
Session State Changed |
Other Audit |
|
AUDIT SHUTDOWN ON FAILURE |
Sub Rule |
System Shutdown |
Startup and Shutdown |
|
AUTHENTICATE |
Sub Rule |
Authenticate Type |
Information |
|
BACKUP |
Sub Rule |
General Backup Information |
Information |
|
BACKUP LOG |
Sub Rule |
General Backup Information |
Information |
|
BACKUP RESTORE GROUP |
Sub Rule |
Backup Completed |
Information |
|
BROKER LOGIN |
Sub Rule |
General Information |
Information |
|
BROKER LOGIN GROUP |
Sub Rule |
General Information |
Information |
|
BULK ADMIN |
Sub Rule |
General Information |
Information |
|
Catch All : MSSQLSERVER Messages |
Sub Rule |
General MSSQLSERVER Information |
Information |
|
CHANGE DEFAULT DATABASE |
Sub Rule |
Configuration Modified : Database |
Configuration |
|
CHANGE DEFAULT LANGUAGE |
Sub Rule |
General Information |
Information |
|
CHANGE LOGIN CREDENTIAL |
Sub Rule |
Policy Modified : User/Password |
Policy |
|
CHANGE OWN PASSWORD |
Sub Rule |
Performing Password Change |
Information |
|
CHANGE PASSWORD |
Sub Rule |
Password Change Requested |
Information |
|
CHANGE USERS LOGIN |
Sub Rule |
Object Modified |
Access Success |
|
CHANGE USERS LOGIN AUTO |
Sub Rule |
Object Modified |
Access Success |
|
CHECKPOINT |
Sub Rule |
Checkpoint Completed |
Information |
|
CONNECT |
Sub Rule |
Connection Established |
Network Traffic |
|
CREATE |
Sub Rule |
General Information |
Information |
|
CREDENTIAL MAP TO LOGIN |
Sub Rule |
Object Attribute Modified |
Access Success |
|
DATABASE CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
DATABASE MIRRORING LOGIN |
Sub Rule |
Authentication Activity |
Authentication Success |
|
DATABASE MIRRORING LOGIN GROUP |
Sub Rule |
Authentication Activity |
Authentication Success |
|
DATABASE OBJECT ACCESS GROUP |
Sub Rule |
Group Membership Information |
Other Audit |
|
DATABASE OBJECT CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
DATABASE OBJECT OWNERSHIP CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
DATABASE OBJECT PERMISSION CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
DATABASE OPERATION GROUP |
Sub Rule |
Group Information |
Information |
|
DATABASE OWNERSHIP CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
DATABASE PERMISSION CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
DATABASE PRINCIPAL CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
DATABASE PRINCIPAL IMPERSONATION GROUP |
Sub Rule |
Database Principal Impersonation |
Other Audit Success |
|
DATABASE ROLE MEMBER CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
DBCC |
Sub Rule |
General Information |
Information |
|
DBCC GROUP |
Sub Rule |
General Information |
Information |
|
DELETE |
Sub Rule |
Delete Node Request |
Information |
|
DENY |
Sub Rule |
General Information |
Information |
|
DENY WITH CASCADE |
Sub Rule |
General Information |
Information |
|
DISABLE |
Sub Rule |
General Information |
Information |
|
DROP |
Sub Rule |
General Information |
Information |
|
DROP MEMBER |
Sub Rule |
User Account Deleted |
Account Deleted |
|
ENABLE |
Sub Rule |
General Information |
Information |
|
EVID 17177 : MSSQLSERVER Process ID Information |
Sub Rule |
General MSSQLSERVER Information |
Information |
|
EVID 18264 : MSSQLSERVER Database Backed Up |
Sub Rule |
Backup Succeeded |
Information |
|
EVID 18456 : MSSQLSERVER Login Failed For User |
Sub Rule |
User Logon Failure |
Authentication Failure |
|
EXECUTE |
Sub Rule |
Command Executed |
Access Success |
|
EXTERNAL ACCESS ASSEMBLY |
Sub Rule |
General Information |
Information |
|
FAILED LOGIN GROUP |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
FULLTEXT |
Sub Rule |
General Information |
Information |
|
FULLTEXT GROUP |
Sub Rule |
General Information |
Information |
|
GRANT |
Sub Rule |
Access Granted Activity |
Access Granted |
|
GRANT WITH GRANT |
Sub Rule |
General Information |
Information |
|
IMPERSONATE |
Sub Rule |
Database Principal Impersonation |
Other Audit Success |
|
INSERT |
Sub Rule |
General Information |
Information |
|
LOGIN CHANGE PASSWORD GROUP |
Sub Rule |
Group Information |
Information |
|
LOGIN FAILED |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
LOGIN SUCCEEDED |
Sub Rule |
Authentication Activity |
Authentication Success |
|
LOGOUT |
Sub Rule |
Logout Request |
Information |
|
LOGOUT GROUP |
Sub Rule |
Logout Request |
Information |
|
MUST CHANGE PASSWORD |
Sub Rule |
Password Change Forced |
Information |
|
NAME CHANGE |
Sub Rule |
User Account Name Modified |
Account Modified |
|
NO CREDENTIAL MAP TO LOGIN |
Sub Rule |
Authentication Failure Activity |
Authentication Failure |
|
OPEN |
Sub Rule |
General Information |
Information |
|
PASSWORD EXPIRATION |
Sub Rule |
Password Change Required |
Information |
|
PASSWORD POLICY |
Sub Rule |
General Information |
Information |
|
RECEIVE |
Sub Rule |
General Information |
Information |
|
REFERENCES |
Sub Rule |
General Information |
Information |
|
RESET OWN PASSWORD |
Sub Rule |
Password Change Requested |
Information |
|
RESET PASSWORD |
Sub Rule |
Password Change Requested |
Information |
|
RESTORE |
Sub Rule |
Database Restored |
Other Audit Success |
|
REVOKE |
Sub Rule |
Account Disabled |
Access Revoked |
|
REVOKE WITH CASCADE |
Sub Rule |
Ownership Revoked |
Access Revoked |
|
REVOKE WITH GRANT |
Sub Rule |
Privilege Revoked |
Access Revoked |
|
SCHEMA OBJECT ACCESS GROUP |
Sub Rule |
Group Membership Information |
Other Audit |
|
SCHEMA OBJECT CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
SCHEMA OBJECT OWNERSHIP CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
SCHEMA OBJECT PERMISSION CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
SELECT |
Sub Rule |
General Information |
Information |
|
SEND |
Sub Rule |
General Information |
Information |
|
SERVER CONTINUE |
Sub Rule |
General Information |
Information |
|
SERVER OBJECT CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
SERVER OBJECT OWNERSHIP CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
SERVER OBJECT PERMISSION CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
SERVER OPERATION GROUP |
Sub Rule |
Group Information |
Information |
|
SERVER PAUSED |
Sub Rule |
Server Frozen |
Information |
|
SERVER PERMISSION CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
SERVER PRINCIPAL CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
SERVER PRINCIPAL IMPERSONATION GROUP |
Sub Rule |
General Information |
Information |
|
SERVER ROLE MEMBER CHANGE GROUP |
Sub Rule |
Object Modified |
Access Success |
|
SERVER SHUTDOWN |
Sub Rule |
The Server Is Down |
Information |
|
SERVER STARTED |
Sub Rule |
Server State Changed To Up |
Information |
|
SERVER STATE CHANGE GROUP |
Sub Rule |
Group Information |
Information |
|
SHOW PLAN |
Sub Rule |
General Information |
Information |
|
SQLAgent |
Sub Rule |
General MSSQLServerAgent Information |
Information |
|
SUBSCRIBE QUERY NOTIFICATION |
Sub Rule |
General Notification |
Information |
|
SUCCESSFUL LOGIN GROUP |
Sub Rule |
LOGIN_INFORMATION |
Information |
|
TAKE OWNERSHIP |
Sub Rule |
General Information |
Information |
|
TRACE AUDIT C2OFF |
Sub Rule |
General Trace Information |
Information |
|
TRACE AUDIT C2ON |
Sub Rule |
General Trace Information |
Information |
|
TRACE AUDIT START |
Sub Rule |
General Trace Information |
Information |
|
TRACE AUDIT STOP |
Sub Rule |
General Trace Information |
Information |
|
TRACE CHANGE GROUP |
Sub Rule |
Group Information |
Information |
|
TRANSFER |
Sub Rule |
General File Transfer Message |
Information |
|
UNLOCK ACCOUNT |
Sub Rule |
Account Unlocked |
Access Granted |
|
UNSAFE ASSEMBLY |
Sub Rule |
General Application Error Information |
Information |
|
UPDATE |
Sub Rule |
General Information |
Information |
|
VIEW CHANGETRACKING |
Sub Rule |
General Information |
Information |
|
VIEW DATABASE STATE |
Sub Rule |
General Information |
Information |
|
VIEW SERVER STATE |
Sub Rule |
General Information |
Information |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
|---|---|---|
|
Provider Name |
<venderinfo> |
Text/String |
|
EventID Qualifiers |
<vmid> |
Number |
|
Level |
<severity> |
Text/String |
|
N/A |
<sip> |
Ip address |
|
computer |
<dname> |
Text/String |
|
N/A |
<sname> |
Text/String |
|
N/A |
<login> |
Text/String |
|
N/A |
<domainorigin> |
Text/String |
|
N/A |
<command> |
Text/String |
|
N/A |
<action> |
Text/String |
|
N/A |
<reason> |
Text/String |
|
N/A |
<tag1> |
Text/String |
|
N/A |
<tag2> |
Text/String |