Catch All : MSSQLSERVER Messages
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Catch All : MSSQLSERVER Messages | Base Rule | General MSSQLSERVER Information | Operations : Information |
| ACCESS | Sub Rule | General Access | Other Audit Success |
| ADD MEMBER | Sub Rule | Account Added To Group | Access Granted |
| ALTER | Sub Rule | Alter Access Method Success | Other Audit Success |
| ALTER CONNECTION | Sub Rule | Connection Information | Information |
| ALTER RESOURCES | Sub Rule | General Information | Information |
| ALTER SERVER STATE | Sub Rule | General Information | Information |
| ALTER SETTINGS | Sub Rule | General Information | Information |
| ALTER TRACE | Sub Rule | General Information | Information |
| APPLICATION ROLE CHANGE PASSWORD GROUP | Sub Rule | Object Modified | Access Success |
| AUDIT CHANGE GROUP | Sub Rule | Policy Modified : Auditing | Policy |
| AUDIT SESSION CHANGED | Sub Rule | Session State Changed | Other Audit |
| AUDIT SHUTDOWN ON FAILURE | Sub Rule | System Shutdown | Startup and Shutdown |
| AUTHENTICATE | Sub Rule | Authenticate Type | Information |
| BACKUP | Sub Rule | General Backup Information | Information |
| BACKUP LOG | Sub Rule | General Backup Information | Information |
| BACKUP RESTORE GROUP | Sub Rule | Backup Completed | Information |
| BROKER LOGIN | Sub Rule | General Information | Information |
| BROKER LOGIN GROUP | Sub Rule | General Information | Information |
| BULK ADMIN | Sub Rule | General Information | Information |
| Catch All : MSSQLSERVER Messages | Sub Rule | General MSSQLSERVER Information | Information |
| CHANGE DEFAULT DATABASE | Sub Rule | Configuration Modified : Database | Configuration |
| CHANGE DEFAULT LANGUAGE | Sub Rule | General Information | Information |
| CHANGE LOGIN CREDENTIAL | Sub Rule | Policy Modified : User/Password | Policy |
| CHANGE OWN PASSWORD | Sub Rule | Performing Password Change | Information |
| CHANGE PASSWORD | Sub Rule | Password Change Requested | Information |
| CHANGE USERS LOGIN | Sub Rule | Object Modified | Access Success |
| CHANGE USERS LOGIN AUTO | Sub Rule | Object Modified | Access Success |
| CHECKPOINT | Sub Rule | Checkpoint Completed | Information |
| CONNECT | Sub Rule | Connection Established | Network Traffic |
| CREATE | Sub Rule | General Information | Information |
| CREDENTIAL MAP TO LOGIN | Sub Rule | Object Attribute Modified | Access Success |
| DATABASE CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| DATABASE MIRRORING LOGIN | Sub Rule | Authentication Activity | Authentication Success |
| DATABASE MIRRORING LOGIN GROUP | Sub Rule | Authentication Activity | Authentication Success |
| DATABASE OBJECT ACCESS GROUP | Sub Rule | Group Membership Information | Other Audit |
| DATABASE OBJECT CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| DATABASE OBJECT OWNERSHIP CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| DATABASE OBJECT PERMISSION CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| DATABASE OPERATION GROUP | Sub Rule | Group Information | Information |
| DATABASE OWNERSHIP CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| DATABASE PERMISSION CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| DATABASE PRINCIPAL CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| DATABASE PRINCIPAL IMPERSONATION GROUP | Sub Rule | Database Principal Impersonation | Other Audit Success |
| DATABASE ROLE MEMBER CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| DBCC | Sub Rule | General Information | Information |
| DBCC GROUP | Sub Rule | General Information | Information |
| DELETE | Sub Rule | Delete Node Request | Information |
| DENY | Sub Rule | General Information | Information |
| DENY WITH CASCADE | Sub Rule | General Information | Information |
| DISABLE | Sub Rule | General Information | Information |
| DROP | Sub Rule | General Information | Information |
| DROP MEMBER | Sub Rule | User Account Deleted | Account Deleted |
| ENABLE | Sub Rule | General Information | Information |
| EVID 17177 : MSSQLSERVER Process ID Information | Sub Rule | General MSSQLSERVER Information | Information |
| EVID 18264 : MSSQLSERVER Database Backed Up | Sub Rule | Backup Succeeded | Information |
| EVID 18456 : MSSQLSERVER Login Failed For User | Sub Rule | User Logon Failure | Authentication Failure |
| EXECUTE | Sub Rule | Command Executed | Access Success |
| EXTERNAL ACCESS ASSEMBLY | Sub Rule | General Information | Information |
| FAILED LOGIN GROUP | Sub Rule | Authentication Failure Activity | Authentication Failure |
| FULLTEXT | Sub Rule | General Information | Information |
| FULLTEXT GROUP | Sub Rule | General Information | Information |
| GRANT | Sub Rule | Access Granted Activity | Access Granted |
| GRANT WITH GRANT | Sub Rule | General Information | Information |
| IMPERSONATE | Sub Rule | Database Principal Impersonation | Other Audit Success |
| INSERT | Sub Rule | General Information | Information |
| LOGIN CHANGE PASSWORD GROUP | Sub Rule | Group Information | Information |
| LOGIN FAILED | Sub Rule | Authentication Failure Activity | Authentication Failure |
| LOGIN SUCCEEDED | Sub Rule | Authentication Activity | Authentication Success |
| LOGOUT | Sub Rule | Logout Request | Information |
| LOGOUT GROUP | Sub Rule | Logout Request | Information |
| MUST CHANGE PASSWORD | Sub Rule | Password Change Forced | Information |
| NAME CHANGE | Sub Rule | User Account Name Modified | Account Modified |
| NO CREDENTIAL MAP TO LOGIN | Sub Rule | Authentication Failure Activity | Authentication Failure |
| OPEN | Sub Rule | General Information | Information |
| PASSWORD EXPIRATION | Sub Rule | Password Change Required | Information |
| PASSWORD POLICY | Sub Rule | General Information | Information |
| RECEIVE | Sub Rule | General Information | Information |
| REFERENCES | Sub Rule | General Information | Information |
| RESET OWN PASSWORD | Sub Rule | Password Change Requested | Information |
| RESET PASSWORD | Sub Rule | Password Change Requested | Information |
| RESTORE | Sub Rule | Database Restored | Other Audit Success |
| REVOKE | Sub Rule | Account Disabled | Access Revoked |
| REVOKE WITH CASCADE | Sub Rule | Ownership Revoked | Access Revoked |
| REVOKE WITH GRANT | Sub Rule | Privilege Revoked | Access Revoked |
| SCHEMA OBJECT ACCESS GROUP | Sub Rule | Group Membership Information | Other Audit |
| SCHEMA OBJECT CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| SCHEMA OBJECT OWNERSHIP CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| SCHEMA OBJECT PERMISSION CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| SELECT | Sub Rule | General Information | Information |
| SEND | Sub Rule | General Information | Information |
| SERVER CONTINUE | Sub Rule | General Information | Information |
| SERVER OBJECT CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| SERVER OBJECT OWNERSHIP CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| SERVER OBJECT PERMISSION CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| SERVER OPERATION GROUP | Sub Rule | Group Information | Information |
| SERVER PAUSED | Sub Rule | Server Frozen | Information |
| SERVER PERMISSION CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| SERVER PRINCIPAL CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| SERVER PRINCIPAL IMPERSONATION GROUP | Sub Rule | General Information | Information |
| SERVER ROLE MEMBER CHANGE GROUP | Sub Rule | Object Modified | Access Success |
| SERVER SHUTDOWN | Sub Rule | The Server Is Down | Information |
| SERVER STARTED | Sub Rule | Server State Changed To Up | Information |
| SERVER STATE CHANGE GROUP | Sub Rule | Group Information | Information |
| SHOW PLAN | Sub Rule | General Information | Information |
| SQLAgent | Sub Rule | General MSSQLServerAgent Information | Information |
| SUBSCRIBE QUERY NOTIFICATION | Sub Rule | General Notification | Information |
| SUCCESSFUL LOGIN GROUP | Sub Rule | LOGIN_INFORMATION | Information |
| TAKE OWNERSHIP | Sub Rule | General Information | Information |
| TRACE AUDIT C2OFF | Sub Rule | General Trace Information | Information |
| TRACE AUDIT C2ON | Sub Rule | General Trace Information | Information |
| TRACE AUDIT START | Sub Rule | General Trace Information | Information |
| TRACE AUDIT STOP | Sub Rule | General Trace Information | Information |
| TRACE CHANGE GROUP | Sub Rule | Group Information | Information |
| TRANSFER | Sub Rule | General File Transfer Message | Information |
| UNLOCK ACCOUNT | Sub Rule | Account Unlocked | Access Granted |
| UNSAFE ASSEMBLY | Sub Rule | General Application Error Information | Information |
| UPDATE | Sub Rule | General Information | Information |
| VIEW CHANGETRACKING | Sub Rule | General Information | Information |
| VIEW DATABASE STATE | Sub Rule | General Information | Information |
| VIEW SERVER STATE | Sub Rule | General Information | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type |
|---|---|---|
| Provider Name | <venderinfo> | Text/String |
| EventID Qualifiers | <vmid> | Number |
| Level | <severity> | Text/String |
| N/A | <sip> | Ip address |
| computer | <dname> | Text/String |
| N/A | <sname> | Text/String |
| N/A | <login> | Text/String |
| N/A | <domainorigin> | Text/String |
| N/A | <command> | Text/String |
| N/A | <action> | Text/String |
| N/A | <reason> | Text/String |
| N/A | <tag1> | Text/String |
| N/A | <tag2> | Text/String |