Stealthbits Activity Monitor - Stealthbits SQL Activity Monitor User Guide
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2021 Stealthbits Activity Monitor® Stealthbits SQL Activity Monitor User Guide
Stealthbits Activity Monitor®
TOC
SQL Server Activity Monitor Overview 4
Getting Started with SQL Server Activity Monitoring 4
Monitored Hosts Overview 6
MS SQL Server Host 7
Additional SQL Configuration 18
Error Propagation 19
Monitored Hosts Properties Overview 20
Host Properties 21
MS SQL Server Tab 21
Logon Trigger Tab 23
Inactivity Alerts Tab 23
Syslog Alerts Tab 24
Email Alerts Tab 26
Output Properties 27
Log File Tab 27
Operations Tab 28
Objects Tab 29
Account Exclusions Tab for SQL Hosts 30
Additional Properties Tab 32
Syslog Tab 33
Search Feature 36
SQL Search Query 37
SQL Search Results 39
Export Search Results 40
Filter Search Results 40
Sort Search Results 41
Doc_ID 813 2
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor®
More Information 43
Stealthbits Activity Monitor Appendices 44
Appendix: SQL Server Activity Monitor JSON Log File 44
JSON Examples 46
Doc_ID 813 3
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor®
SQL Server Activity Monitor Overview
The ability to monitor SQL server activity represents both a tremendous gap and opportunity for
organizations looking to identify threats, achieve compliance, and streamline operations. This
guide provides an overview on using the Activity Monitor to audit and monitor SQL server
activity.
Getting Started with SQL Server Activity Monitoring
The following workflow quickly enables users to begin monitoring an organization’s SQL server
environment.
Prepare the Environment
Ensure that the following prerequisites and permissions are met:
l Configure the Windows firewall to allow SQL Server Access (Port 1433)
l Permissions:
l ALTER ANY EVENT SESSION — Allows agent to start or stop an event session or change an
event session configuration
l VIEW ANY DEFINITION — Allows agent to view the SQL Server object definitions
l VIEW SERVER STATE — Allows agent to access dynamic management views
l SQL Login mapped to user databases
See the Microsoft SQL Configuration Guide for additional information.
Activity Monitor Console & Agents
Once the environment has been prepared for monitoring, it is time to install the Activity Monitor
Console and deploy activity agents. The Activity Monitor is the platform from which monitoring
of the target environment is managed. After installation, activity agents must be deployed to
Windows servers. This is done on the Agents tab of the Activity Monitor Console. The credential
provisioned for agent deployment are needed during this process. See the Stealthbits Activity
Monitor Installation & Console User Guide for additional information.
Monitor Hosts
Doc_ID 813 4
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor®
Once the activity agents have been deployed, it is time to enable monitored hosts. This is done
on the Monitored Hosts tab of the Activity Monitor Console. The credential provisioned for
activity monitoring is needed during this process. See the Monitored Hosts Overview section for
additional information.
Search Activity Events
The activity logs created by the activity agent(s) can be queried from within the Activity Monitor
Console. Using the search feature, set filters for the query to view monitored events. See the
Search Feature section for additional information.
Doc_ID 813 5
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor®
Monitored Hosts Overview
Once the agent(s) installation is complete, hosts can be added for monitoring. The Monitored
Hosts tab in the Activity Monitor Console is comprised of a button bar and a table of hosts being
monitored.
The button bar allows users to take the following actions:
l Toggle Collapse – Expands and collapses all Monitored Hosts for viewing or hiding multiple
outputs per host
l Add Host – Opens the Add New Host window to configure monitoring. See the section for
instructions on adding the desired target environment:
l MS SQL Server Host
l Remove – Remove the configured host from the monitored hosts table and end monitoring. A
window prompts for confirmation to remove the selected host.
l Edit – Opens the selected host’s Properties window to modify monitoring settings
l Enable – Resume monitoring which has been stopped or paused
l Disable – Stop or pause monitoring
NOTE: The same host can be monitored multiple times for different outputs. The Comment
column can be used to indicate the purpose of each configured output for a host. The user can
add a comment to indicate the purpose of each configured output for a host.
The monitored hosts table provides the following information:
l Monitored Host – Name or IP Address of the host being monitored
l Agent – Name or IP Address of the server where the activity agent is deployed
Doc_ID 813 6
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor®
l Platform – Type of platform being monitored, e.g. Windows, NetApp, SharePoint, etc.
l Retention – Number of days for which the activity log files are retained
l Log Size – Size of the activity log files
l Status – Indicates the status of activity monitoring for the host. See the Error Propagation
section for additional information.
l Received Events – Date timestamp of the last event received
l Comment – Comment provided by user:
l Often this indicates the desired output, e.g. StealthAUDIT.
l This can be useful if adding the same monitored host multiple times with different
configurations for different outputs.
l If a StealthINTERCEPT Agent has been deployed to a Windows server where an activity
agent is deployed, then the Comment identifies the host as “Managed by
StealthINTERCEPT”, and that ‘monitored host’ is not editable.. Add the host again for other
outputs.
Hosts can have more than one output. To view a host's outputs, expand the host by clicking the
white arrow to the left of the Monitored Host name.
For integration with StealthAUDIT, only one configuration of a ‘monitored host’ can be set as the
StealthAUDIT output. After a ‘monitored host’ has been added, use the Edit feature to identify
the configuration as being for StealthAUDIT on the Log Files tab of the host’s Properties window.
See the Log File Tab section for additional information.
MS SQL Server Host
Follow the steps to add a MS SQL Server host to be monitored.
CAUTION: The SQL Server must be configured before adding a host. See the Microsoft
SQL Configuration Guide for additional information on SQL Server configuration for activity
monitoring.
Step 1 – In the Activity Monitor, go to the Monitored Hosts tab and click Add. The Add New Host
window opens.
Doc_ID 813 7
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor®
Step 2 – On the Choose Agent page, select the Agent to monitor the storage device, then click
Next.
Doc_ID 813 8
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor®
Step 3 – On the Add Host page, select MS SQL Server and enter the Server name or address for
the SQL Server host., then click Next.
Doc_ID 813 9
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor®
Step 4 – On the MS SQL Server Options page, configure the following options:
l Enable Audit automatically — Check the box to enable automatic auditing if it is ever disabled
l Open istruction — Opens the How to create a SQL Login for Monitoring page. See
theSQL Server Database section of the Microsoft SQL Configuration Guide for additional
information.
l User name — Enter the user name for the credentials for the SQL Server
l User password — Enter the password for the credentials for the SQL Server
Click Connect to test the settings, then click Next.
Doc_ID 813 10
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Step 5 – On the Configure Operations page, select which SQL Server events to monitor, then click
Next.
Doc_ID 813 11
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Step 6 – On the SQL Server Objects page, click Refresh. Select the SQL Server objects to be
monitored. Click Next.
Doc_ID 813 12
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Step 7 – On the SQL Server Logon Trigger page, copy and paste the SQL script into a New Query
in the SQL database. Execute the query to create a logon trigger. The Activity Monitor will
monitor SQL logon events and obtain IP addresses for connections. The script is:
CREATE TRIGGER SBAudit_LOGON_Trigger ON ALL SERVER FOR LOGON
AS BEGIN declare @str varchar(max)=cast(EVENTDATA() as
varchar(max));raiserror(@str,1,1);END
Click Check Status to see if the trigger is configured properly, then click Next.
Doc_ID 813 13
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Step 8 – On the Configure Basic Options page,
l Period to keep Log files - Activity logs are deleted after the number of days entered. Default is
set to 10 days.
RECOMMENDED: Keep a minimum of 10 days of activity logs. Raw activity logs should be
retained to meet an organization’s audit requirements.
Click Next.
Doc_ID 813 14
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Step 9 – On the Where To Log The Activity page, select whether to send the activity to either a
Log File (TSV) or Syslog Server, then click Next.
Doc_ID 813 15
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Step 10 – If Log File is selected on the Where To Log The Activity page, the File Output page can
be configured.
l Specify output file path – Specify the file path where log files are saved. Click the ellipses
button (...) to open the Windows Explorer to navigate to a folder destination. Click Test to test
if the path works.
l Period to keep Log files – Log files will be deleted after the period entered number of days
entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for
a set amount of Minutes, Hours, or Days.
l This log file is for StealthAUDIT – Enable this option to have StealthAUDIT collect this
monitored host configuration
RECOMMENDED: Identify the configuration to be read by StealthAUDIT when integration is
available.
l While the Activity Monitor can have multiple configurations per host, StealthAUDIT can only
read one of them.
Doc_ID 813 16
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Step 11 – If Syslog Server is selected on the Where To Log The Activity page, the Syslog Output
page can be configured.
l Syslog server in SERVER[:PORT] format – Type the Syslog server name with a SERVER:Port
format in the textbox.
l The server name can be short name, fully qualified name (FQDN), or IP Address, as long as
the organization’s environment can resolve the name format used. The Event stream is the
activity being monitored according to this configuration for the monitored host.
l Syslog Protocol – Identify the Syslog protocol to be used for the Event stream. The drop-down
menu includes:
l UDP
l TCP
l TLS
l The TCP and TLS protocols add the Message framing drop-down menu. See the Syslog Tab
section for additional information.
l The Test button sends a test message to the Syslog server to check the connection. A green
check mark or red will determine whether the test message has been sent or failed to send.
Messages vary by Syslog protocol:
l UDP – Sends a test message and does not verify connection
l TCP/TLS – Sends test message and verifies connection
Doc_ID 813 17
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
l TLS – Shows error if TLS handshake fails
l See the Syslog Tab section for additional information.
Click Finish.
The added MS SQL Server host displays in the table of hosts being monitored. Once a host has
been added to be monitored, additional configurations can be made, i.e. adding Comments.
Additional SQL Configuration
Once a SQL Server host has been added to the monitored hosts table, the configuration settings
can be edited through the tabs in the host’s Properties window. The configurable properties for
SQL Server hosts and outputs are:
l Host Properties
l MS SQL Server Tab
l Logon Trigger Tab
l Inactivity Alerts Tab
l Output Properties
l Syslog Tab
l Operations Tab
l Objects Tab
Doc_ID 813 18
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
l Account Exclusions Tab for SQL Hosts
l Additional Properties Tab
See the Monitored Hosts Properties Overview section for additional information.
Error Propagation
The Error Propagation collapsible section located above the Status Bar of the Activity Monitor
provides visibility into a host's monitoring state. Host monitoring status is depicted in the
Monitored Hosts table under the Status column. Users can expand the Error Propagation section
to view more information on various status conditions.
Click the Down Arrow to expand the Error Propagation section. The information listed is
dependent on which host is currently selected in the Monitored Hosts table. Users can find
information on the Current State of a host, as well as viewing a history of changes in state.
Doc_ID 813 19
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Monitored Hosts Properties Overview
Once a host has been added to the Monitored Hosts list, the configuration settings can be edited
through the host’s Properties window. Most monitored host settings are configured when the
host is added. However, some settings can only be configured through the host’s Properties
window, e.g. identifying the activity log for StealthAUDIT.
On the Monitored Hosts tab, select the host and click Edit to open the host’s Properties window,
or right-click on a host and select Edit Host from the right-click menu. The Host Properties tabs
are:
l Inactivity Alerts Tab
l MS SQL Server Tab — MS SQL Server hosts only
Doc_ID 813 20
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Each host contains one or more File or Syslog outputs. Outputs have additional properties that
can be configured. Click the arrow next to the host name to expand the host's output list. To
configure output properties, select the output and click Edit to open the output's Properties
window, or right-click on an output and select Edit Output from the right-click menu. The Output
Properties tabs are:
l Log File Tab
l Syslog Tab
l Account Exclusions Tab
l Additional Properties Tab
Host Properties
To edit Host Properties, right-click on a host and select Edit Host. The configurable host
properties available depends on the type of host being modified.
MS SQL Server Tab
Doc_ID 813 21
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
The MS SQL Server tab on SQL Server host's properties window is used to configure properties for
SQL activity monitoring on the host.
The configurable options are:
l Enable Trace automatically — Check the box to enable the activity monitor to enable Trace
automatically if it is disabled
l Audit polling interval — Configure the interval between audits. The default is 15 seconds.
l Open instruction... — Click Open Instruction... to view steps on how to create a login for
SQL monitoring
l Certain permissions are required to create a login for SQL monitoring. See the
l Server name\instance — Server name\instance of the SQL Server to be monitored
Doc_ID 813 22
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
l User name — User for the SQL Server
l User password — Password for the SQL Server
l Connect — Click Connect to test the settings
Logon Trigger Tab
The Logon Trigger tab on a SQL Server host's properties window is used to configure logon
triggers for SQL activity monitoring.
Copy and paste the SQL Script into a SQL query and execute to enable the Activity Monitor to
obtain IP addresses of client connections. Click Check Status to check if the trigger is properly
configured on the SQL server.
Inactivity Alerts Tab
The Inactivity Alerts tab on a host's Properties window is used to configure alerts that are sent
when monitored hosts receive no events for a specified period of time.
Doc_ID 813 23
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
The configurable options are:
l Customize Inactivity Alert settings for the Monitored Hosts otherwise the Agent's Inactivity
Alerts settings will be used – Check this box to enable customization of alert settings for
Monitored Hosts
l Length of inactivity – Specify how much time must pass before an inactivity alert is sent out.
The default is 6 hours.
l Repeat an alert every – Specify how often an alert is sent out during periods of inactivity. The
default is 6 hours.
Syslog Alerts Tab
Configure Syslog alerts using the Syslog Alerts Tab.
Doc_ID 813 24
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
The configurable options are:
l Syslog server in SERVER[:PORT] format – Type the Syslog server name with a SERVER:Port
format in the textbox.
l Syslog protocol – Identify the Syslog protocol to be used for the alerts
l UDP
l TCP
l TLS
l Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window.
The following Syslog templates have been provided:
l AlienVault / Generic Syslog
l CEF – Incorporates the CEF message format
l HP Arcsight
l LEEF – Incorporates the LEEF message format
l LogRhythm
l McAfee
l QRadar – Use this template for IBM QRadar integration. See the Configure the Stealthbits
Activity Monitor for Event Stream to QRadar section of the Stealthbits File Activity Monitor
App for QRadar User Guide for additional information.
Doc_ID 813 25
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
l Splunk – Use this template for Splunk integration. See the Configure the Stealthbits Activity
Monitor for Event Stream to Splunk section of the Stealthbits File Activity Monitor App for
Splunk User Guide for additional information.
Email Alerts Tab
Configure Email alerts using the Email Alerts Tab.
The configurable options are:
l SMTP server in SERVER[:PORT] format – Enter the SMTP server for the email alerts
l Enable TLS – Check the box to enable TLS encryption
l User name – (Optional) User name for the email alert
l User password – (Optional) Password for the username
l From email address – Email address that the alert is sent from
l To email address – Email address that the alert is sent to
l Message subject – Subject line used for the email alert. Click the ellipses (...) to open the
Message Template window.
l Message body – Body of the message used for the email alert. Click the ellipses (...) to open
the Message Template window.
Doc_ID 813 26
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Output Properties
To edit Output Properties, right-click on an output and select Edit Output. The configurable
output properties available depends on the type of output and host being modified.
Log File Tab
The Log Files tab on a host’s Properties window is where the activity log settings are modified.
These settings are initially configured on the Configure Basic Options page of the Add New Host
window when the host is added to the Monitored Hosts list.
Log Files Tab for SQL Hosts
After initial configuration, the following options can be configured:
l Log file path – Identifies the full path of the activity log files on the activity agent server.
Current timestamp is appended to the file name automatically.
Doc_ID 813 27
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
l Period to keep Log files – Activity logs are deleted after the number of days entered. The
default is 10 days.
RECOMMENDED: Keep a minimum of 10 days of activity logs. Raw activity logs should be
retained to meet an organization’s audit requirements.
l This log file is for StealthAUDIT – Enable this option to have StealthAUDIT collect this
monitored host configuration
It is typically not recommended to disable the activity log. See the Search Feature section of the
Stealthbits Activity Monitor Installation & Console User Guide for additional information. A list of
the JSON log file columns and descriptions are available in the Appendix. See the Stealthbits
Activity Monitor Appendices section for additional information.
Operations Tab
Operations Tab for SQL Hosts
The Operations tab on a SQL host’s Properties window allows users to configure
communication on the DML Operations, Audit Operations, and Permission Operations to
be monitored.
Doc_ID 813 28
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
In the SQL host's Operations Tab, modify settings that were populated with the information
entered when the host was added. Select the DML Operations, Audit Operations, and
Permission Operations to be monitored.
Click OK to apply changes and exit, or Cancel to exit without saving any changes.
Objects Tab
The Objects Tab for SQL Server outputs is used to choose which SQL Server objects to monitor.
Doc_ID 813 29
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Click Refresh to populate the list of SQL Server objects that can be monitored.
Account Exclusions Tab for SQL Hosts
The Account Exclusions tab on a SQL host’s Properties window allows users to scope monitoring
by adding filters for accounts by name or type.
Doc_ID 813 30
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
The configurable options are:
l Add Sql User – Click the Add SQL User button to open the Specify Sql User Name window.
l Remove – Click Remove to remove an excluded account from the Account Exclusion list.
l Process group membership when filtering r – Check the box to enable processing of group
memberships when filtering accounts
Doc_ID 813 31
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Enter one or more SQL User Names into the text box to exclude those accounts from SQL activity
monitoring. Click OK to confirm changes. Click Cancel to exit the window without saving.
Additional Properties Tab
The Additional Properties tab on a host’s Properties window displays comments entered for the
monitored host by the users.
The options are:
Doc_ID 813 32
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
l Report hostname as – The value entered here will customize the hostname that is reported in
the event for log files and Syslog outputs
l Comment – The value entered here will appear in the Comments column in the Activity
Monitor's Monitored Hosts tab.
Often, the Additional Properties Tab is used to indicate the desired output, e.g. StealthAUDIT.
This can be useful if using multiple outputs with different configurations for different outputs.
Syslog Tab
The Syslog tab on a host’s Properties window allows users to configure communication with SIEM
servers.
The available options are:
l Syslog server in SERVER[:PORT] format – Type the Syslog server name with a SERVER:Port
format in the textbox.
l The server name can be short name, fully qualified name (FQDN), or IP Address, as long as
the organization’s environment can resolve the name format used. The Event stream is the
activity being monitored according to this configuration for the monitored host.
l Syslog Protocol - Identify the Syslog protocol to be used for the Event stream. The drop-down
menu includes:
l UDP
l TCP
l TLS
The TCP and TLS protocols add the Message framing drop-down menu.
TCP Protocol TLS Protocol
Message framing options include:
Doc_ID 813 33
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
l LS (ASCII 10) delimiter
l CR (ASCII 13) delimiter
l CRLF (ASCII 13, 10) delimiter
l NUL (ASCII 0) delimiter
l Octet Count (RFC 5425)
The Test button sends a test message to the Syslog server to check the connection. A green check
mark or red will determine whether the test message has been sent or failed to send. Messages
vary by Syslog protocol:
l UDP – Sends a test message and does not verify connection
l TCP/TLS – Sends test message and verifies connection
l TLS – Shows error if TLS handshake fails
Doc_ID 813 34
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Click the ellipsis (…) to open the Syslog Message Template window. The following Syslog
templates have been provided:
l AlienVault / Generic Syslog
l CEF – Incorporates the CEF message format
l HP Arcsight
l LEEF – Incorporates the LEEF message format
l LogRhythm
l McAfee
l QRadar – Use this template for IBM QRadar integration. See the Configure the Stealthbits
Activity Monitor for Event Stream to QRadar section of the Stealthbits File Activity Monitor
App for QRadar User Guide for additional information.
l Splunk – Use this template for Splunk integration. See the Configure the Stealthbits Activity
Monitor for Event Stream to Splunk section of the Stealthbits File Activity Monitor App for
Splunk User Guide for additional information.
Custom templates can be created. Select the desired template or create a new template by
modifying an existing template within the Syslog Message Template window. The new message
template will be named Custom.
Doc_ID 813 35
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Search Feature
The search feature consolidates and compartmentalizes search results based on events, time,
objects, users, and hosts. Search results populate based on which settings are chosen. Results
may then be sorted, filtered, and/or exported into a CSV file or JSON file depending on the type
of search. See the Console Navigation section of Stealthbits Activity Monitor Installation &
Console User Guide for more information.
To open the search feature, click the Magnifying Glass icon and select from the following options:
l SQL Server Search Query — Selecting the SQL Server options enables uers to search agents for
SQL activity
The search process includes the following steps:
l Create the Search Query by setting the desired filters
l Sort and/or filter within the returned results
l Optionally, export the results
Queries that may be useful to an organization include the following:
l Who accessed a particular folder/file on X day or during Y date range?
l Who renamed a particular folder/file on X day or during Y date range?
l Who deleted a particular folder/file on X day or during Y date range?
l Who created a particular folder/file?
l What did user X do on day Y?
l What did user X do between days Y and Z?
l Administrator activity details?
Doc_ID 813 36
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
SQL Search Query
Configure parameters for search features for SQL Server environments using the SQL Search
Query tab. For more general information on Search queries, see the Search Feature section for
additional information.
A search query can apply any combination of filters. The filters are:
General Filters
The General filter must be configured for every query. The filters in this section address
who, what, where, and when an object, user, host, or domain controller is affected by User
and SQL Server events.
The General Filters are:
l Time From – Determines the start datetime for the period the search is conducted for
l Time To – Determines the end datetime for the period the search is conducted for
l Event Result – Configure to select whether to return results for All, Success, or Failure
l Reason – Search can be run against simple string with wildcards or regular expression
by selecting the dropdown arrow.
l Agent Hosts – Select which agent host(s) to search
l Search Limit – Configure the number of results that are returned from a search. The
default is 10000.
Doc_ID 813 37
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
User Filters
Filter for specific users using the filter options in the User filters section.
The User Filters are:
l Name or ID – Search for a specific name or ID using the Name or ID search filter. Search
can be run against simple string with wildcards or regular expression by selecting the
dropdown arrow.
l IP Address – Search for a specific IP address using the IP Address search filter. Search can
be run against simple string with wildcards or regular expression by selecting the
dropdown arrow.
SQL Filters
Filter for other SQL-specific attributes using the SQL filters section.
The SQL Filters are:
l Database – Return results from a specific database by entering text into the Database
field. Search can be run against simple string with wildcards or regular expression by
selecting the dropdown arrow.
Doc_ID 813 38
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
l Type Mask – Enter a value into the type mask field to use a type mask for search results.
Search can be run against simple string with wildcards or regular expression by
selecting the dropdown arrow.
l Application – Enter a value into the Application field to use an Application for search
results. Search can be run against simple string with wildcards or regular expression by
selecting the dropdown arrow.
l SQL Text – Enter a value into the SQL Text field to search for specific SQL Text. Search
can be run against simple string with wildcards or regular expression by selecting the
dropdown arrow.
SQL Search Results
When a search has been started, the Search Status table at the bottom displays the percentage
complete according to the size and quantity of the activity log files being searched per activity
agent. Search results can be sorted, filtered, and exported to a CSV file.
The results data grid columns display the following information for each event:
l Event Time – Date timestamp of the event
l Agent – Stealthbits Activity Monitor activity agent which monitored the event
l Result – Indicates whether the event type was a success
l User – User account that performed the activity event
Doc_ID 813 39
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
l IP Address – IP Address of the client host associated with the event
l Client Host – Name of the client host associated with the event
l Application Name – Name of the application associated with the event
l Operation – The type of operation associated with the event
l Database – The type of database associated with the event
l SQL – The SQL Query text associated with the event
l Error – Indicates SQL Error Code associated with the event
l Message – Description of the error associated with the event
l Category – Category of the error associated with the event
At the bottom of the search interface, additional information is displayed for selected events in
the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as
applicable to the event) are displayed. Results can also be organized within the Search Results
table. See the Export Search Results, Filter Search Results, and Sort Search Results sections for
additional information on organizing the Search Results table.
Export Search Results
The search results data grid from a File search query can be exported to a CSV file. The search
results data grid from an Active Directory search query can be exported to a JSON file.
Click the Export button located at the top left corner of the window and set the name and
location of the CSV file.
Filter Search Results
Doc_ID 813 40
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
The drop-down menu for a column header in the search results data grid provides the option to
filter the search results further.
Choose between checking/unchecking the desired field values from the list of available values
and typing in the search textbox. The Clear filter option removes all filters from the selected
column. A filter icon appears on the header where filters have been applied. Multiple columns
can be filtered in the search results data grid.
NOTE: The columns that can be filtered will vary depending on what results are.
Sort Search Results
Clicking on any column header in the search results data grid sorts the results alphanumerically
for that column, and an arrow shows next to the column name indicating the sort to be ascending
or descending order.
Doc_ID 813 41
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
The drop-down menu on the column header has options to Sort A to Z or Sort Z to A for the
selected column. Sorting can only occur for one column at a time.
NOTE: The columns that can be sorted will vary depending on what results are.
Doc_ID 813 42
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
More Information
Identify threats. Secure data. Reduce risk.
Stealthbits Technologies is a data security software company focused on protecting an
organization’s credentials and data. By removing inappropriate data access, enforcing security
policy, and detecting advanced threats, we reduce security risk, fulfill compliance requirements,
and decrease operations expense.
For information on our products and solution lines, check out our website at
www.stealthbits.com or send an email to our information center at info@stealthbits.com.
If you would like to speak with a Stealthbits Sales Representative, please contact us at
+1.201.447.9300 or via email at sales@stealthbits.com.
Have questions? Check out our online Documentation or our Training Videos (requires login):
https://www.stealthbits.com/documentation. To speak to a Stealthbits Representative: please
contact Stealthbits Support at +1.201.447.9359 or via email at support@stealthbits.com.
Need formal training on how to use a product more effectively in your organization? Stealthbits is
proud to offer FREE online training to all customers and prospects! For schedule information,
visit: https://www.stealthbits.com/on-demand-training.
Doc_ID 813 43
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Stealthbits Activity Monitor Appendices
See the following appendices for additional information:
l Appendix: SQL Server Activity Monitor JSON Log File
Appendix: SQL Server Activity Monitor JSON Log File
The following information lists all of the columns generated by SQL Server Activity Monitor into a
JSON log file, along with descriptions.
Field Type Description Example
TimeLogged DateTime UNC Datetime of the 2021-02-
event, format: yyyy-MM- 18T15:39:29.424Z
ddTHH:mm:ss.fffZ
ActivityType Fixed string SqlServer
AgentHost String Host of Stealthbits W7-VS17
Activity Monitor Agent
Service
UserName String Name of user performed admin
the operation
Success bool The result of the True
operation. For Login
operations, False means
the login has failed. For
other operations, the
result is always True.
TypeMask uint Integer representation of 33 (Combination of
performed operation: Select and Execute)
combination (mask) of
codes of SqlServerEvent
enumeration.
Doc_ID 813 44
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Field Type Description Example
l Select = 0x01,
l Insert = 0x02,
l Update = 0x04,
l Delete = 0x08,
l Merge = 0x10,
l Execute = 0x20,
l LoginSuccessful =
0x40,
l LoginFailed = 0x80,
l Logout = 0x0100,
l Grant = 0x0200,
l Revoke = 0x0400,
l Deny = 0x0800,
l Error = 0x1000,
l Create = 0x2000,
l Alter = 0x4000,
l Drop = 0x8000
TypeMaskDesc String Text representation of Select|Execute
TypeMask field
ClientAppName String Name of application that Microsoft SQL Server
cause the operation Management Studio -
Transact-SQL
IntelliSense
ClientHostName String Name of client host W10
ClientIp String IP address of the client 127.0.0.1
(can be empty)
Doc_ID 813 45
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Field Type Description Example
DatabaseName String Name of affected AdventureWorks
Database
SqlText String Query text select * from [SalesLT].
[Customer]
ErrorNumber Integer MSSQL Error Code 208
Message String Message text of the error Invalid object name
'SalesLT.Customer1'.
Category String Category of the error 2
SqlObjects String Array of affected objects
JSON Examples
Event JSON Example
Error {"TimeLogged":"2021-06-
11T12:57:18.600Z","ActivityType":"SqlServer","AgentHost":"W7-
VS17","UserName":"testuser1","Success":true,"TypeMask":4096,"TypeMaskDesc"
:"Error","ClientAppName":"Microsoft SQL Server Management Studio -
Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"Stealth
RECOVER_22-04","SqlText":"select * from [SalesLT].
[Customer1]","ErrorNumber":208,"Message":"Invalid object name
'SalesLT.Customer1'.","Category":"2"}
Login {"TimeLogged":"2021-06-
11T12:50:40.038Z","ActivityType":"SqlServer","AgentHost":"W7-
VS17","UserName":"testuser1","Success":true,"TypeMask":64,"TypeMaskDesc":"
Login","ClientAppName":"Microsoft SQL Server Management Studio -
Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"maste
Doc_ID 813 46
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Event JSON Example
r"}
{"TimeLogged":"2021-06-
11T12:28:24.165Z","ActivityType":"SqlServer","AgentHost":"W7-
VS17","UserName":"","Success":false,"TypeMask":64,"TypeMaskDesc":"Login","Cl
ientAppName":"Microsoft SQL Server Management
Studio","ClientHostName":"W10","ClientIp":"","DatabaseName":"master","ErrorN
umber":18456,"Message":"Login failed for user 'testuser'. Reason: Could not find
a login matching the name provided. [CLIENT: ]"}
Logout {"TimeLogged":"2021-06-
11T13:14:28.386Z","ActivityType":"SqlServer","AgentHost":"W7-
VS17","UserName":"testuser1","Success":true,"TypeMask":256,"TypeMaskDesc":
"Logout","ClientAppName":"Microsoft SQL Server Management Studio -
Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"Stealth
RECOVER_22-04"}
SqlEven {"TimeLogged":"2021-06-
t 11T13:22:48.682Z","ActivityType":"SqlServer","AgentHost":"W7-
VS17","UserName":"sa","Success":true,"TypeMask":5,"TypeMaskDesc":"Select|U
pdate","ClientAppName":"Microsoft SQL Server Management Studio -
Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"Advent
ureWorksLT2019","SqlText":"select top 100 * \r\nfrom [SalesLT].
[SalesOrderDetail] d\r\nleft join [SalesLT].[Product] p on
p.ProductID=d.ProductID;\r\nUpdate [SalesLT].[Product] set ProductNumber='zzz'
where ProductNumber='xxx';\r\n","SqlObjects":
[{"t":"U","db":"AdventureWorksLT2019","s":"saleslt","o":"SalesOrderDetail","op":
"Select"},
{"t":"U","db":"AdventureWorksLT2019","s":"saleslt","o":"Product","op":"Select|U
pdate"}]}
Permiss {"TimeLogged":"2021-06-
ion 11T13:27:48.009Z","ActivityType":"SqlServer","AgentHost":"W7-
VS17","UserName":"sa","Success":true,"TypeMask":512,"TypeMaskDesc":"Grant"
,"ClientAppName":"Microsoft SQL Server Management Studio -
Doc_ID 813 47
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDStealthbits Activity Monitor®
Event JSON Example
Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"Advent
ureWorksLT2019","SqlText":"\r\n\r\nGRANT ALL ON [SalesLT].[Product] TO
[sqluser3]; ","SqlObjects":
[{"t":"U","db":"AdventureWorksLT2019","s":"saleslt","o":"Product","op":"Gran
t"}]}
Doc_ID 813 48
Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVEDYou can also read
