Classification

Rule Name

Rule Type

Common Event

Classification

EVID 33205 : SQL Audit EventBase RuleObject OperationOther Audit Success
Table DeletedSub RuleObject Deleted/RemovedAccess Success
Server Role DroppedSub RuleUser Account DeletedAccount Deleted
Scalar Function ExecutedSub RuleCommand ExecutedAccess Success
Stored Procedure ExecutedSub RuleCommand ExecutedAccess Success
Synonym ExecutedSub RuleCommand ExecutedAccess Success
Security Policy ExecutedSub RuleCommand ExecutedAccess Success
Type ExecutedSub RuleCommand ExecutedAccess Success
Table InsertedSub RuleObject ModifiedAccess Success
Index LoginSub RuleLogin Or Logout Event ExecutedOther Audit
Index LogoutSub RuleSession ClosedOther Audit Success
Synonym SelectedSub RuleObject AccessedAccess Success
Function Scalar Object SelectedSub RuleObject AccessedAccess Success
Tablet SelectedSub RuleObject AccessedAccess Success
View SelectedSub RuleObject AccessedAccess Success
Table UpdatedSub RuleObject ModifiedAccess Success
Function Table-valued Object SelectedSub RuleObject AccessedAccess Success

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQL$EMODON'/><EventID Qualifiers='16384'>33205</EventID><Level>0</Level><Task>5</Task><Keywords></Keywords><TimeCreated SystemTime='2020-10-18T11:42:55.589680100Z'/><EventRecordID>13939328</EventRecordID><Channel>Application</Channel><Computer>_sourceHostname</Computer><Security/></System><EventData><Data>audit_schema_version:1
event_time:2020-10-18 11:42:54.9996441
sequence_number:1
action_id:AL
succeeded:true
is_column_permission:false
session_id:_sid
server_principal_id:267
database_principal_id:0
target_server_principal_id:0
target_database_principal_id:0
object_id:0
user_defined_event_id:0
transaction_id:1110436198
class_type:SE
permission_bitmask:00000000000000000000000000000000
sequence_group_id:75D9A041-A2FD-40A6-83C3-18EC4B8D0E80
session_server_principal_name:_hostname
server_principal_name:_originUser
server_principal_sid:0106000000000005500000000a5065023a06d8a2de93bad27c0d61f5d1c9d5f8
database_principal_name:public
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:_destinationHostname
database_name:master
schema_name:
object_name:telemetry_xevents
statement:ALTER EVENT SESSION [telemetry_xevents] ON SERVER STATE = start;
additional_information:
user_defined_information:
</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

NameMSSQL$EMODON<vendorinfo>Text/String
Eventid33205<vmid>Number
Level0<severity>Number
Computer_sourceHostname<sname>Text/String
server_instance_name_destinationHostname<dname>Text/String
server_principal_name_originUser<login>Text/String
target_server_principal_nameN/A<account>Text/String
session_id_sid<session>Text/String
action_idal<sessiontype>Text/String
database_namemaster<object>Text/String
object nametelemetry_xevents<objectname>Text/String
schema_nameN/A<group>Text/String
succeededtrue<result>Text/String
sequence_number1<quantity>Number
action_idAL<tag1>Text/String
class_typeSE<tag2>Text/String
database_principal_namepublic<tag3>Text/String