Classification

Rule NameRule TypeCommon EventClassification
Catch All : MSSQLSERVER MessagesBase RuleGeneral MSSQLSERVER InformationOperations : Information
ACCESSSub RuleGeneral AccessOther Audit Success
ADD MEMBERSub RuleAccount Added To GroupAccess Granted
ALTERSub RuleAlter Access Method SuccessOther Audit Success
ALTER CONNECTIONSub RuleConnection InformationInformation
ALTER RESOURCESSub RuleGeneral InformationInformation
ALTER SERVER STATESub RuleGeneral InformationInformation
ALTER SETTINGSSub RuleGeneral InformationInformation
ALTER TRACESub RuleGeneral InformationInformation
APPLICATION ROLE CHANGE PASSWORD GROUPSub RuleObject ModifiedAccess Success
AUDIT CHANGE GROUPSub RulePolicy Modified : AuditingPolicy
AUDIT SESSION CHANGEDSub RuleSession State ChangedOther Audit
AUDIT SHUTDOWN ON FAILURESub RuleSystem ShutdownStartup and Shutdown
AUTHENTICATESub RuleAuthenticate TypeInformation
BACKUPSub RuleGeneral Backup InformationInformation
BACKUP LOGSub RuleGeneral Backup InformationInformation
BACKUP RESTORE GROUPSub RuleBackup CompletedInformation
BROKER LOGINSub RuleGeneral InformationInformation
BROKER LOGIN GROUPSub RuleGeneral InformationInformation
BULK ADMINSub RuleGeneral InformationInformation
Catch All : MSSQLSERVER MessagesSub RuleGeneral MSSQLSERVER InformationInformation
CHANGE DEFAULT DATABASESub RuleConfiguration Modified : DatabaseConfiguration
CHANGE DEFAULT LANGUAGESub RuleGeneral InformationInformation
CHANGE LOGIN CREDENTIALSub RulePolicy Modified : User/PasswordPolicy
CHANGE OWN PASSWORDSub RulePerforming Password ChangeInformation
CHANGE PASSWORDSub RulePassword Change RequestedInformation
CHANGE USERS LOGINSub RuleObject ModifiedAccess Success
CHANGE USERS LOGIN AUTOSub RuleObject ModifiedAccess Success
CHECKPOINTSub RuleCheckpoint CompletedInformation
CONNECTSub RuleConnection EstablishedNetwork Traffic
CREATESub RuleGeneral InformationInformation
CREDENTIAL MAP TO LOGINSub RuleObject Attribute ModifiedAccess Success
DATABASE CHANGE GROUPSub RuleObject ModifiedAccess Success
DATABASE MIRRORING LOGINSub RuleAuthentication ActivityAuthentication Success
DATABASE MIRRORING LOGIN GROUPSub RuleAuthentication ActivityAuthentication Success
DATABASE OBJECT ACCESS GROUPSub RuleGroup Membership InformationOther Audit
DATABASE OBJECT CHANGE GROUPSub RuleObject ModifiedAccess Success
DATABASE OBJECT OWNERSHIP CHANGE GROUPSub RuleObject ModifiedAccess Success
DATABASE OBJECT PERMISSION CHANGE GROUPSub RuleObject ModifiedAccess Success
DATABASE OPERATION GROUPSub RuleGroup InformationInformation
DATABASE OWNERSHIP CHANGE GROUPSub RuleObject ModifiedAccess Success
DATABASE PERMISSION CHANGE GROUPSub RuleObject ModifiedAccess Success
DATABASE PRINCIPAL CHANGE GROUPSub RuleObject ModifiedAccess Success
DATABASE PRINCIPAL IMPERSONATION GROUPSub RuleDatabase Principal ImpersonationOther Audit Success
DATABASE ROLE MEMBER CHANGE GROUPSub RuleObject ModifiedAccess Success
DBCCSub RuleGeneral InformationInformation
DBCC GROUPSub RuleGeneral InformationInformation
DELETESub RuleDelete Node RequestInformation
DENYSub RuleGeneral InformationInformation
DENY WITH CASCADESub RuleGeneral InformationInformation
DISABLESub RuleGeneral InformationInformation
DROPSub RuleGeneral InformationInformation
DROP MEMBERSub RuleUser Account DeletedAccount Deleted
ENABLESub RuleGeneral InformationInformation
EVID 17177 : MSSQLSERVER Process ID InformationSub RuleGeneral MSSQLSERVER InformationInformation
EVID 18264 : MSSQLSERVER Database Backed UpSub RuleBackup SucceededInformation
EVID 18456 : MSSQLSERVER Login Failed For UserSub RuleUser Logon FailureAuthentication Failure
EXECUTESub RuleCommand ExecutedAccess Success
EXTERNAL ACCESS ASSEMBLYSub RuleGeneral InformationInformation
FAILED LOGIN GROUPSub RuleAuthentication Failure ActivityAuthentication Failure
FULLTEXTSub RuleGeneral InformationInformation
FULLTEXT GROUPSub RuleGeneral InformationInformation
GRANTSub RuleAccess Granted ActivityAccess Granted
GRANT WITH GRANTSub RuleGeneral InformationInformation
IMPERSONATESub RuleDatabase Principal ImpersonationOther Audit Success
INSERTSub RuleGeneral InformationInformation
LOGIN CHANGE PASSWORD GROUPSub RuleGroup InformationInformation
LOGIN FAILEDSub RuleAuthentication Failure ActivityAuthentication Failure
LOGIN SUCCEEDEDSub RuleAuthentication ActivityAuthentication Success
LOGOUTSub RuleLogout RequestInformation
LOGOUT GROUPSub RuleLogout RequestInformation
MUST CHANGE PASSWORDSub RulePassword Change ForcedInformation
NAME CHANGESub RuleUser Account Name ModifiedAccount Modified
NO CREDENTIAL MAP TO LOGINSub RuleAuthentication Failure ActivityAuthentication Failure
OPENSub RuleGeneral InformationInformation
PASSWORD EXPIRATIONSub RulePassword Change RequiredInformation
PASSWORD POLICYSub RuleGeneral InformationInformation
RECEIVESub RuleGeneral InformationInformation
REFERENCESSub RuleGeneral InformationInformation
RESET OWN PASSWORDSub RulePassword Change RequestedInformation
RESET PASSWORDSub RulePassword Change RequestedInformation
RESTORESub RuleDatabase RestoredOther Audit Success
REVOKESub RuleAccount DisabledAccess Revoked
REVOKE WITH CASCADESub RuleOwnership RevokedAccess Revoked
REVOKE WITH GRANTSub RulePrivilege RevokedAccess Revoked
SCHEMA OBJECT ACCESS GROUPSub RuleGroup Membership InformationOther Audit
SCHEMA OBJECT CHANGE GROUPSub RuleObject ModifiedAccess Success
SCHEMA OBJECT OWNERSHIP CHANGE GROUPSub RuleObject ModifiedAccess Success
SCHEMA OBJECT PERMISSION CHANGE GROUPSub RuleObject ModifiedAccess Success
SELECTSub RuleGeneral InformationInformation
SENDSub RuleGeneral InformationInformation
SERVER CONTINUESub RuleGeneral InformationInformation
SERVER OBJECT CHANGE GROUPSub RuleObject ModifiedAccess Success
SERVER OBJECT OWNERSHIP CHANGE GROUPSub RuleObject ModifiedAccess Success
SERVER OBJECT PERMISSION CHANGE GROUPSub RuleObject ModifiedAccess Success
SERVER OPERATION GROUPSub RuleGroup InformationInformation
SERVER PAUSEDSub RuleServer FrozenInformation
SERVER PERMISSION CHANGE GROUPSub RuleObject ModifiedAccess Success
SERVER PRINCIPAL CHANGE GROUPSub RuleObject ModifiedAccess Success
SERVER PRINCIPAL IMPERSONATION GROUPSub RuleGeneral InformationInformation
SERVER ROLE MEMBER CHANGE GROUPSub RuleObject ModifiedAccess Success
SERVER SHUTDOWNSub RuleThe Server Is DownInformation
SERVER STARTEDSub RuleServer State Changed To UpInformation
SERVER STATE CHANGE GROUPSub RuleGroup InformationInformation
SHOW PLANSub RuleGeneral InformationInformation
SQLAgentSub RuleGeneral MSSQLServerAgent InformationInformation
SUBSCRIBE QUERY NOTIFICATIONSub RuleGeneral NotificationInformation
SUCCESSFUL LOGIN GROUPSub RuleLOGIN_INFORMATIONInformation
TAKE OWNERSHIPSub RuleGeneral InformationInformation
TRACE AUDIT C2OFFSub RuleGeneral Trace InformationInformation
TRACE AUDIT C2ONSub RuleGeneral Trace InformationInformation
TRACE AUDIT STARTSub RuleGeneral Trace InformationInformation
TRACE AUDIT STOPSub RuleGeneral Trace InformationInformation
TRACE CHANGE GROUPSub RuleGroup InformationInformation
TRANSFERSub RuleGeneral File Transfer MessageInformation
UNLOCK ACCOUNTSub RuleAccount UnlockedAccess Granted
UNSAFE ASSEMBLYSub RuleGeneral Application Error InformationInformation
UPDATESub RuleGeneral InformationInformation
VIEW CHANGETRACKINGSub RuleGeneral InformationInformation
VIEW DATABASE STATESub RuleGeneral InformationInformation
VIEW SERVER STATESub RuleGeneral InformationInformation

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQL$OLMETRO'/><EventID Qualifiers='49152'>18456</EventID><Level>Information</Level><Task>Logon</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2019-06-06T00:55:29.612701900Z'/><EventRecordID>5244957</EventRecordID><Channel>Application</Channel><Computer>_destinationhostname</Computer><Security UserID='_domainorigin\_originUser'/></System><EventData><Data>_sourceHostname\</Data><Data> Reason: Could not find a login matching the name provided.</Data><Data> [CLIENT: 1.1.1.1]</Data><Binary>184800000E000000150000005000570056002D00440043002D00530044004200300031005C004F004C004D004500540052004F000000070000006D00610073007400650072000000</Binary></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider NameMSSQL$OLMETRO<venderinfo>Text/String
EventID Qualifiers18456<vmid>Number
LevelInformation<severity>Text/String
N/A1.1.1.1<sip>Ip address
computer_destinationhostname<dname>Text/String
N/A_sourceHostname<sname>Text/String
N/A_originUser<login>Text/String
N/A_domainOrigin<domainorigin>Text/String
N/AN/A<command>Text/String
N/AN/A<action>Text/String
N/ACould not find a login matching the name provided<reason>Text/String
N/AN/A<tag1>Text/String
N/AMSSQL<tag2>Text/String