Stealthbits Activity Monitor - Stealthbits SQL Activity Monitor User Guide
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Stealthbits Activity Monitor® TOC SQL Server Activity Monitor Overview 4 Getting Started with SQL Server Activity Monitoring 4 Monitored Hosts Overview 6 MS SQL Server Host 7 Additional SQL Configuration 18 Error Propagation 19 Monitored Hosts Properties Overview 20 Host Properties 21 MS SQL Server Tab 21 Logon Trigger Tab 23 Inactivity Alerts Tab 23 Syslog Alerts Tab 24 Email Alerts Tab 26 Output Properties 27 Log File Tab 27 Operations Tab 28 Objects Tab 29 Account Exclusions Tab for SQL Hosts 30 Additional Properties Tab 32 Syslog Tab 33 Search Feature 36 SQL Search Query 37 SQL Search Results 39 Export Search Results 40 Filter Search Results 40 Sort Search Results 41 Doc_ID 813 2 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® More Information 43 Stealthbits Activity Monitor Appendices 44 Appendix: SQL Server Activity Monitor JSON Log File 44 JSON Examples 46 Doc_ID 813 3 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® SQL Server Activity Monitor Overview The ability to monitor SQL server activity represents both a tremendous gap and opportunity for organizations looking to identify threats, achieve compliance, and streamline operations. This guide provides an overview on using the Activity Monitor to audit and monitor SQL server activity. Getting Started with SQL Server Activity Monitoring The following workflow quickly enables users to begin monitoring an organization’s SQL server environment. Prepare the Environment Ensure that the following prerequisites and permissions are met: l Configure the Windows firewall to allow SQL Server Access (Port 1433) l Permissions: l ALTER ANY EVENT SESSION — Allows agent to start or stop an event session or change an event session configuration l VIEW ANY DEFINITION — Allows agent to view the SQL Server object definitions l VIEW SERVER STATE — Allows agent to access dynamic management views l SQL Login mapped to user databases See the Microsoft SQL Configuration Guide for additional information. Activity Monitor Console & Agents Once the environment has been prepared for monitoring, it is time to install the Activity Monitor Console and deploy activity agents. The Activity Monitor is the platform from which monitoring of the target environment is managed. After installation, activity agents must be deployed to Windows servers. This is done on the Agents tab of the Activity Monitor Console. The credential provisioned for agent deployment are needed during this process. See the Stealthbits Activity Monitor Installation & Console User Guide for additional information. Monitor Hosts Doc_ID 813 4 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Once the activity agents have been deployed, it is time to enable monitored hosts. This is done on the Monitored Hosts tab of the Activity Monitor Console. The credential provisioned for activity monitoring is needed during this process. See the Monitored Hosts Overview section for additional information. Search Activity Events The activity logs created by the activity agent(s) can be queried from within the Activity Monitor Console. Using the search feature, set filters for the query to view monitored events. See the Search Feature section for additional information. Doc_ID 813 5 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Monitored Hosts Overview Once the agent(s) installation is complete, hosts can be added for monitoring. The Monitored Hosts tab in the Activity Monitor Console is comprised of a button bar and a table of hosts being monitored. The button bar allows users to take the following actions: l Toggle Collapse – Expands and collapses all Monitored Hosts for viewing or hiding multiple outputs per host l Add Host – Opens the Add New Host window to configure monitoring. See the section for instructions on adding the desired target environment: l MS SQL Server Host l Remove – Remove the configured host from the monitored hosts table and end monitoring. A window prompts for confirmation to remove the selected host. l Edit – Opens the selected host’s Properties window to modify monitoring settings l Enable – Resume monitoring which has been stopped or paused l Disable – Stop or pause monitoring NOTE: The same host can be monitored multiple times for different outputs. The Comment column can be used to indicate the purpose of each configured output for a host. The user can add a comment to indicate the purpose of each configured output for a host. The monitored hosts table provides the following information: l Monitored Host – Name or IP Address of the host being monitored l Agent – Name or IP Address of the server where the activity agent is deployed Doc_ID 813 6 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® l Platform – Type of platform being monitored, e.g. Windows, NetApp, SharePoint, etc. l Retention – Number of days for which the activity log files are retained l Log Size – Size of the activity log files l Status – Indicates the status of activity monitoring for the host. See the Error Propagation section for additional information. l Received Events – Date timestamp of the last event received l Comment – Comment provided by user: l Often this indicates the desired output, e.g. StealthAUDIT. l This can be useful if adding the same monitored host multiple times with different configurations for different outputs. l If a StealthINTERCEPT Agent has been deployed to a Windows server where an activity agent is deployed, then the Comment identifies the host as “Managed by StealthINTERCEPT”, and that ‘monitored host’ is not editable.. Add the host again for other outputs. Hosts can have more than one output. To view a host's outputs, expand the host by clicking the white arrow to the left of the Monitored Host name. For integration with StealthAUDIT, only one configuration of a ‘monitored host’ can be set as the StealthAUDIT output. After a ‘monitored host’ has been added, use the Edit feature to identify the configuration as being for StealthAUDIT on the Log Files tab of the host’s Properties window. See the Log File Tab section for additional information. MS SQL Server Host Follow the steps to add a MS SQL Server host to be monitored. CAUTION: The SQL Server must be configured before adding a host. See the Microsoft SQL Configuration Guide for additional information on SQL Server configuration for activity monitoring. Step 1 – In the Activity Monitor, go to the Monitored Hosts tab and click Add. The Add New Host window opens. Doc_ID 813 7 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Step 2 – On the Choose Agent page, select the Agent to monitor the storage device, then click Next. Doc_ID 813 8 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Step 3 – On the Add Host page, select MS SQL Server and enter the Server name or address for the SQL Server host., then click Next. Doc_ID 813 9 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Step 4 – On the MS SQL Server Options page, configure the following options: l Enable Audit automatically — Check the box to enable automatic auditing if it is ever disabled l Open istruction — Opens the How to create a SQL Login for Monitoring page. See theSQL Server Database section of the Microsoft SQL Configuration Guide for additional information. l User name — Enter the user name for the credentials for the SQL Server l User password — Enter the password for the credentials for the SQL Server Click Connect to test the settings, then click Next. Doc_ID 813 10 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Step 5 – On the Configure Operations page, select which SQL Server events to monitor, then click Next. Doc_ID 813 11 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Step 6 – On the SQL Server Objects page, click Refresh. Select the SQL Server objects to be monitored. Click Next. Doc_ID 813 12 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Step 7 – On the SQL Server Logon Trigger page, copy and paste the SQL script into a New Query in the SQL database. Execute the query to create a logon trigger. The Activity Monitor will monitor SQL logon events and obtain IP addresses for connections. The script is: CREATE TRIGGER SBAudit_LOGON_Trigger ON ALL SERVER FOR LOGON AS BEGIN declare @str varchar(max)=cast(EVENTDATA() as varchar(max));raiserror(@str,1,1);END Click Check Status to see if the trigger is configured properly, then click Next. Doc_ID 813 13 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Step 8 – On the Configure Basic Options page, l Period to keep Log files - Activity logs are deleted after the number of days entered. Default is set to 10 days. RECOMMENDED: Keep a minimum of 10 days of activity logs. Raw activity logs should be retained to meet an organization’s audit requirements. Click Next. Doc_ID 813 14 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Step 9 – On the Where To Log The Activity page, select whether to send the activity to either a Log File (TSV) or Syslog Server, then click Next. Doc_ID 813 15 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Step 10 – If Log File is selected on the Where To Log The Activity page, the File Output page can be configured. l Specify output file path – Specify the file path where log files are saved. Click the ellipses button (...) to open the Windows Explorer to navigate to a folder destination. Click Test to test if the path works. l Period to keep Log files – Log files will be deleted after the period entered number of days entered. The default is 10 days. Use the dropdown to specify whether to keep the Log files for a set amount of Minutes, Hours, or Days. l This log file is for StealthAUDIT – Enable this option to have StealthAUDIT collect this monitored host configuration RECOMMENDED: Identify the configuration to be read by StealthAUDIT when integration is available. l While the Activity Monitor can have multiple configurations per host, StealthAUDIT can only read one of them. Doc_ID 813 16 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Step 11 – If Syslog Server is selected on the Where To Log The Activity page, the Syslog Output page can be configured. l Syslog server in SERVER[:PORT] format – Type the Syslog server name with a SERVER:Port format in the textbox. l The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the organization’s environment can resolve the name format used. The Event stream is the activity being monitored according to this configuration for the monitored host. l Syslog Protocol – Identify the Syslog protocol to be used for the Event stream. The drop-down menu includes: l UDP l TCP l TLS l The TCP and TLS protocols add the Message framing drop-down menu. See the Syslog Tab section for additional information. l The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary by Syslog protocol: l UDP – Sends a test message and does not verify connection l TCP/TLS – Sends test message and verifies connection Doc_ID 813 17 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® l TLS – Shows error if TLS handshake fails l See the Syslog Tab section for additional information. Click Finish. The added MS SQL Server host displays in the table of hosts being monitored. Once a host has been added to be monitored, additional configurations can be made, i.e. adding Comments. Additional SQL Configuration Once a SQL Server host has been added to the monitored hosts table, the configuration settings can be edited through the tabs in the host’s Properties window. The configurable properties for SQL Server hosts and outputs are: l Host Properties l MS SQL Server Tab l Logon Trigger Tab l Inactivity Alerts Tab l Output Properties l Syslog Tab l Operations Tab l Objects Tab Doc_ID 813 18 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® l Account Exclusions Tab for SQL Hosts l Additional Properties Tab See the Monitored Hosts Properties Overview section for additional information. Error Propagation The Error Propagation collapsible section located above the Status Bar of the Activity Monitor provides visibility into a host's monitoring state. Host monitoring status is depicted in the Monitored Hosts table under the Status column. Users can expand the Error Propagation section to view more information on various status conditions. Click the Down Arrow to expand the Error Propagation section. The information listed is dependent on which host is currently selected in the Monitored Hosts table. Users can find information on the Current State of a host, as well as viewing a history of changes in state. Doc_ID 813 19 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Monitored Hosts Properties Overview Once a host has been added to the Monitored Hosts list, the configuration settings can be edited through the host’s Properties window. Most monitored host settings are configured when the host is added. However, some settings can only be configured through the host’s Properties window, e.g. identifying the activity log for StealthAUDIT. On the Monitored Hosts tab, select the host and click Edit to open the host’s Properties window, or right-click on a host and select Edit Host from the right-click menu. The Host Properties tabs are: l Inactivity Alerts Tab l MS SQL Server Tab — MS SQL Server hosts only Doc_ID 813 20 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Each host contains one or more File or Syslog outputs. Outputs have additional properties that can be configured. Click the arrow next to the host name to expand the host's output list. To configure output properties, select the output and click Edit to open the output's Properties window, or right-click on an output and select Edit Output from the right-click menu. The Output Properties tabs are: l Log File Tab l Syslog Tab l Account Exclusions Tab l Additional Properties Tab Host Properties To edit Host Properties, right-click on a host and select Edit Host. The configurable host properties available depends on the type of host being modified. MS SQL Server Tab Doc_ID 813 21 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® The MS SQL Server tab on SQL Server host's properties window is used to configure properties for SQL activity monitoring on the host. The configurable options are: l Enable Trace automatically — Check the box to enable the activity monitor to enable Trace automatically if it is disabled l Audit polling interval — Configure the interval between audits. The default is 15 seconds. l Open instruction... — Click Open Instruction... to view steps on how to create a login for SQL monitoring l Certain permissions are required to create a login for SQL monitoring. See the l Server name\instance — Server name\instance of the SQL Server to be monitored Doc_ID 813 22 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® l User name — User for the SQL Server l User password — Password for the SQL Server l Connect — Click Connect to test the settings Logon Trigger Tab The Logon Trigger tab on a SQL Server host's properties window is used to configure logon triggers for SQL activity monitoring. Copy and paste the SQL Script into a SQL query and execute to enable the Activity Monitor to obtain IP addresses of client connections. Click Check Status to check if the trigger is properly configured on the SQL server. Inactivity Alerts Tab The Inactivity Alerts tab on a host's Properties window is used to configure alerts that are sent when monitored hosts receive no events for a specified period of time. Doc_ID 813 23 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® The configurable options are: l Customize Inactivity Alert settings for the Monitored Hosts otherwise the Agent's Inactivity Alerts settings will be used – Check this box to enable customization of alert settings for Monitored Hosts l Length of inactivity – Specify how much time must pass before an inactivity alert is sent out. The default is 6 hours. l Repeat an alert every – Specify how often an alert is sent out during periods of inactivity. The default is 6 hours. Syslog Alerts Tab Configure Syslog alerts using the Syslog Alerts Tab. Doc_ID 813 24 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® The configurable options are: l Syslog server in SERVER[:PORT] format – Type the Syslog server name with a SERVER:Port format in the textbox. l Syslog protocol – Identify the Syslog protocol to be used for the alerts l UDP l TCP l TLS l Syslog message template – Click the ellipsis (…) to open the Syslog Message Template window. The following Syslog templates have been provided: l AlienVault / Generic Syslog l CEF – Incorporates the CEF message format l HP Arcsight l LEEF – Incorporates the LEEF message format l LogRhythm l McAfee l QRadar – Use this template for IBM QRadar integration. See the Configure the Stealthbits Activity Monitor for Event Stream to QRadar section of the Stealthbits File Activity Monitor App for QRadar User Guide for additional information. Doc_ID 813 25 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® l Splunk – Use this template for Splunk integration. See the Configure the Stealthbits Activity Monitor for Event Stream to Splunk section of the Stealthbits File Activity Monitor App for Splunk User Guide for additional information. Email Alerts Tab Configure Email alerts using the Email Alerts Tab. The configurable options are: l SMTP server in SERVER[:PORT] format – Enter the SMTP server for the email alerts l Enable TLS – Check the box to enable TLS encryption l User name – (Optional) User name for the email alert l User password – (Optional) Password for the username l From email address – Email address that the alert is sent from l To email address – Email address that the alert is sent to l Message subject – Subject line used for the email alert. Click the ellipses (...) to open the Message Template window. l Message body – Body of the message used for the email alert. Click the ellipses (...) to open the Message Template window. Doc_ID 813 26 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Output Properties To edit Output Properties, right-click on an output and select Edit Output. The configurable output properties available depends on the type of output and host being modified. Log File Tab The Log Files tab on a host’s Properties window is where the activity log settings are modified. These settings are initially configured on the Configure Basic Options page of the Add New Host window when the host is added to the Monitored Hosts list. Log Files Tab for SQL Hosts After initial configuration, the following options can be configured: l Log file path – Identifies the full path of the activity log files on the activity agent server. Current timestamp is appended to the file name automatically. Doc_ID 813 27 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® l Period to keep Log files – Activity logs are deleted after the number of days entered. The default is 10 days. RECOMMENDED: Keep a minimum of 10 days of activity logs. Raw activity logs should be retained to meet an organization’s audit requirements. l This log file is for StealthAUDIT – Enable this option to have StealthAUDIT collect this monitored host configuration It is typically not recommended to disable the activity log. See the Search Feature section of the Stealthbits Activity Monitor Installation & Console User Guide for additional information. A list of the JSON log file columns and descriptions are available in the Appendix. See the Stealthbits Activity Monitor Appendices section for additional information. Operations Tab Operations Tab for SQL Hosts The Operations tab on a SQL host’s Properties window allows users to configure communication on the DML Operations, Audit Operations, and Permission Operations to be monitored. Doc_ID 813 28 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® In the SQL host's Operations Tab, modify settings that were populated with the information entered when the host was added. Select the DML Operations, Audit Operations, and Permission Operations to be monitored. Click OK to apply changes and exit, or Cancel to exit without saving any changes. Objects Tab The Objects Tab for SQL Server outputs is used to choose which SQL Server objects to monitor. Doc_ID 813 29 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Click Refresh to populate the list of SQL Server objects that can be monitored. Account Exclusions Tab for SQL Hosts The Account Exclusions tab on a SQL host’s Properties window allows users to scope monitoring by adding filters for accounts by name or type. Doc_ID 813 30 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® The configurable options are: l Add Sql User – Click the Add SQL User button to open the Specify Sql User Name window. l Remove – Click Remove to remove an excluded account from the Account Exclusion list. l Process group membership when filtering r – Check the box to enable processing of group memberships when filtering accounts Doc_ID 813 31 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Enter one or more SQL User Names into the text box to exclude those accounts from SQL activity monitoring. Click OK to confirm changes. Click Cancel to exit the window without saving. Additional Properties Tab The Additional Properties tab on a host’s Properties window displays comments entered for the monitored host by the users. The options are: Doc_ID 813 32 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® l Report hostname as – The value entered here will customize the hostname that is reported in the event for log files and Syslog outputs l Comment – The value entered here will appear in the Comments column in the Activity Monitor's Monitored Hosts tab. Often, the Additional Properties Tab is used to indicate the desired output, e.g. StealthAUDIT. This can be useful if using multiple outputs with different configurations for different outputs. Syslog Tab The Syslog tab on a host’s Properties window allows users to configure communication with SIEM servers. The available options are: l Syslog server in SERVER[:PORT] format – Type the Syslog server name with a SERVER:Port format in the textbox. l The server name can be short name, fully qualified name (FQDN), or IP Address, as long as the organization’s environment can resolve the name format used. The Event stream is the activity being monitored according to this configuration for the monitored host. l Syslog Protocol - Identify the Syslog protocol to be used for the Event stream. The drop-down menu includes: l UDP l TCP l TLS The TCP and TLS protocols add the Message framing drop-down menu. TCP Protocol TLS Protocol Message framing options include: Doc_ID 813 33 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® l LS (ASCII 10) delimiter l CR (ASCII 13) delimiter l CRLF (ASCII 13, 10) delimiter l NUL (ASCII 0) delimiter l Octet Count (RFC 5425) The Test button sends a test message to the Syslog server to check the connection. A green check mark or red will determine whether the test message has been sent or failed to send. Messages vary by Syslog protocol: l UDP – Sends a test message and does not verify connection l TCP/TLS – Sends test message and verifies connection l TLS – Shows error if TLS handshake fails Doc_ID 813 34 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Click the ellipsis (…) to open the Syslog Message Template window. The following Syslog templates have been provided: l AlienVault / Generic Syslog l CEF – Incorporates the CEF message format l HP Arcsight l LEEF – Incorporates the LEEF message format l LogRhythm l McAfee l QRadar – Use this template for IBM QRadar integration. See the Configure the Stealthbits Activity Monitor for Event Stream to QRadar section of the Stealthbits File Activity Monitor App for QRadar User Guide for additional information. l Splunk – Use this template for Splunk integration. See the Configure the Stealthbits Activity Monitor for Event Stream to Splunk section of the Stealthbits File Activity Monitor App for Splunk User Guide for additional information. Custom templates can be created. Select the desired template or create a new template by modifying an existing template within the Syslog Message Template window. The new message template will be named Custom. Doc_ID 813 35 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Search Feature The search feature consolidates and compartmentalizes search results based on events, time, objects, users, and hosts. Search results populate based on which settings are chosen. Results may then be sorted, filtered, and/or exported into a CSV file or JSON file depending on the type of search. See the Console Navigation section of Stealthbits Activity Monitor Installation & Console User Guide for more information. To open the search feature, click the Magnifying Glass icon and select from the following options: l SQL Server Search Query — Selecting the SQL Server options enables uers to search agents for SQL activity The search process includes the following steps: l Create the Search Query by setting the desired filters l Sort and/or filter within the returned results l Optionally, export the results Queries that may be useful to an organization include the following: l Who accessed a particular folder/file on X day or during Y date range? l Who renamed a particular folder/file on X day or during Y date range? l Who deleted a particular folder/file on X day or during Y date range? l Who created a particular folder/file? l What did user X do on day Y? l What did user X do between days Y and Z? l Administrator activity details? Doc_ID 813 36 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® SQL Search Query Configure parameters for search features for SQL Server environments using the SQL Search Query tab. For more general information on Search queries, see the Search Feature section for additional information. A search query can apply any combination of filters. The filters are: General Filters The General filter must be configured for every query. The filters in this section address who, what, where, and when an object, user, host, or domain controller is affected by User and SQL Server events. The General Filters are: l Time From – Determines the start datetime for the period the search is conducted for l Time To – Determines the end datetime for the period the search is conducted for l Event Result – Configure to select whether to return results for All, Success, or Failure l Reason – Search can be run against simple string with wildcards or regular expression by selecting the dropdown arrow. l Agent Hosts – Select which agent host(s) to search l Search Limit – Configure the number of results that are returned from a search. The default is 10000. Doc_ID 813 37 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® User Filters Filter for specific users using the filter options in the User filters section. The User Filters are: l Name or ID – Search for a specific name or ID using the Name or ID search filter. Search can be run against simple string with wildcards or regular expression by selecting the dropdown arrow. l IP Address – Search for a specific IP address using the IP Address search filter. Search can be run against simple string with wildcards or regular expression by selecting the dropdown arrow. SQL Filters Filter for other SQL-specific attributes using the SQL filters section. The SQL Filters are: l Database – Return results from a specific database by entering text into the Database field. Search can be run against simple string with wildcards or regular expression by selecting the dropdown arrow. Doc_ID 813 38 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® l Type Mask – Enter a value into the type mask field to use a type mask for search results. Search can be run against simple string with wildcards or regular expression by selecting the dropdown arrow. l Application – Enter a value into the Application field to use an Application for search results. Search can be run against simple string with wildcards or regular expression by selecting the dropdown arrow. l SQL Text – Enter a value into the SQL Text field to search for specific SQL Text. Search can be run against simple string with wildcards or regular expression by selecting the dropdown arrow. SQL Search Results When a search has been started, the Search Status table at the bottom displays the percentage complete according to the size and quantity of the activity log files being searched per activity agent. Search results can be sorted, filtered, and exported to a CSV file. The results data grid columns display the following information for each event: l Event Time – Date timestamp of the event l Agent – Stealthbits Activity Monitor activity agent which monitored the event l Result – Indicates whether the event type was a success l User – User account that performed the activity event Doc_ID 813 39 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® l IP Address – IP Address of the client host associated with the event l Client Host – Name of the client host associated with the event l Application Name – Name of the application associated with the event l Operation – The type of operation associated with the event l Database – The type of database associated with the event l SQL – The SQL Query text associated with the event l Error – Indicates SQL Error Code associated with the event l Message – Description of the error associated with the event l Category – Category of the error associated with the event At the bottom of the search interface, additional information is displayed for selected events in the data grid. The Attribute Name, Operation, Old Value, and New Value for the logged event (as applicable to the event) are displayed. Results can also be organized within the Search Results table. See the Export Search Results, Filter Search Results, and Sort Search Results sections for additional information on organizing the Search Results table. Export Search Results The search results data grid from a File search query can be exported to a CSV file. The search results data grid from an Active Directory search query can be exported to a JSON file. Click the Export button located at the top left corner of the window and set the name and location of the CSV file. Filter Search Results Doc_ID 813 40 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® The drop-down menu for a column header in the search results data grid provides the option to filter the search results further. Choose between checking/unchecking the desired field values from the list of available values and typing in the search textbox. The Clear filter option removes all filters from the selected column. A filter icon appears on the header where filters have been applied. Multiple columns can be filtered in the search results data grid. NOTE: The columns that can be filtered will vary depending on what results are. Sort Search Results Clicking on any column header in the search results data grid sorts the results alphanumerically for that column, and an arrow shows next to the column name indicating the sort to be ascending or descending order. Doc_ID 813 41 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® The drop-down menu on the column header has options to Sort A to Z or Sort Z to A for the selected column. Sorting can only occur for one column at a time. NOTE: The columns that can be sorted will vary depending on what results are. Doc_ID 813 42 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® More Information Identify threats. Secure data. Reduce risk. Stealthbits Technologies is a data security software company focused on protecting an organization’s credentials and data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, we reduce security risk, fulfill compliance requirements, and decrease operations expense. For information on our products and solution lines, check out our website at www.stealthbits.com or send an email to our information center at info@stealthbits.com. If you would like to speak with a Stealthbits Sales Representative, please contact us at +1.201.447.9300 or via email at sales@stealthbits.com. Have questions? Check out our online Documentation or our Training Videos (requires login): https://www.stealthbits.com/documentation. To speak to a Stealthbits Representative: please contact Stealthbits Support at +1.201.447.9359 or via email at support@stealthbits.com. Need formal training on how to use a product more effectively in your organization? Stealthbits is proud to offer FREE online training to all customers and prospects! For schedule information, visit: https://www.stealthbits.com/on-demand-training. Doc_ID 813 43 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Stealthbits Activity Monitor Appendices See the following appendices for additional information: l Appendix: SQL Server Activity Monitor JSON Log File Appendix: SQL Server Activity Monitor JSON Log File The following information lists all of the columns generated by SQL Server Activity Monitor into a JSON log file, along with descriptions. Field Type Description Example TimeLogged DateTime UNC Datetime of the 2021-02- event, format: yyyy-MM- 18T15:39:29.424Z ddTHH:mm:ss.fffZ ActivityType Fixed string SqlServer AgentHost String Host of Stealthbits W7-VS17 Activity Monitor Agent Service UserName String Name of user performed admin the operation Success bool The result of the True operation. For Login operations, False means the login has failed. For other operations, the result is always True. TypeMask uint Integer representation of 33 (Combination of performed operation: Select and Execute) combination (mask) of codes of SqlServerEvent enumeration. Doc_ID 813 44 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Field Type Description Example l Select = 0x01, l Insert = 0x02, l Update = 0x04, l Delete = 0x08, l Merge = 0x10, l Execute = 0x20, l LoginSuccessful = 0x40, l LoginFailed = 0x80, l Logout = 0x0100, l Grant = 0x0200, l Revoke = 0x0400, l Deny = 0x0800, l Error = 0x1000, l Create = 0x2000, l Alter = 0x4000, l Drop = 0x8000 TypeMaskDesc String Text representation of Select|Execute TypeMask field ClientAppName String Name of application that Microsoft SQL Server cause the operation Management Studio - Transact-SQL IntelliSense ClientHostName String Name of client host W10 ClientIp String IP address of the client 127.0.0.1 (can be empty) Doc_ID 813 45 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Field Type Description Example DatabaseName String Name of affected AdventureWorks Database SqlText String Query text select * from [SalesLT]. [Customer] ErrorNumber Integer MSSQL Error Code 208 Message String Message text of the error Invalid object name 'SalesLT.Customer1'. Category String Category of the error 2 SqlObjects String Array of affected objects JSON Examples Event JSON Example Error {"TimeLogged":"2021-06- 11T12:57:18.600Z","ActivityType":"SqlServer","AgentHost":"W7- VS17","UserName":"testuser1","Success":true,"TypeMask":4096,"TypeMaskDesc" :"Error","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"Stealth RECOVER_22-04","SqlText":"select * from [SalesLT]. [Customer1]","ErrorNumber":208,"Message":"Invalid object name 'SalesLT.Customer1'.","Category":"2"} Login {"TimeLogged":"2021-06- 11T12:50:40.038Z","ActivityType":"SqlServer","AgentHost":"W7- VS17","UserName":"testuser1","Success":true,"TypeMask":64,"TypeMaskDesc":" Login","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"maste Doc_ID 813 46 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Event JSON Example r"} {"TimeLogged":"2021-06- 11T12:28:24.165Z","ActivityType":"SqlServer","AgentHost":"W7- VS17","UserName":"","Success":false,"TypeMask":64,"TypeMaskDesc":"Login","Cl ientAppName":"Microsoft SQL Server Management Studio","ClientHostName":"W10","ClientIp":"","DatabaseName":"master","ErrorN umber":18456,"Message":"Login failed for user 'testuser'. Reason: Could not find a login matching the name provided. [CLIENT: ]"} Logout {"TimeLogged":"2021-06- 11T13:14:28.386Z","ActivityType":"SqlServer","AgentHost":"W7- VS17","UserName":"testuser1","Success":true,"TypeMask":256,"TypeMaskDesc": "Logout","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"Stealth RECOVER_22-04"} SqlEven {"TimeLogged":"2021-06- t 11T13:22:48.682Z","ActivityType":"SqlServer","AgentHost":"W7- VS17","UserName":"sa","Success":true,"TypeMask":5,"TypeMaskDesc":"Select|U pdate","ClientAppName":"Microsoft SQL Server Management Studio - Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"Advent ureWorksLT2019","SqlText":"select top 100 * \r\nfrom [SalesLT]. [SalesOrderDetail] d\r\nleft join [SalesLT].[Product] p on p.ProductID=d.ProductID;\r\nUpdate [SalesLT].[Product] set ProductNumber='zzz' where ProductNumber='xxx';\r\n","SqlObjects": [{"t":"U","db":"AdventureWorksLT2019","s":"saleslt","o":"SalesOrderDetail","op": "Select"}, {"t":"U","db":"AdventureWorksLT2019","s":"saleslt","o":"Product","op":"Select|U pdate"}]} Permiss {"TimeLogged":"2021-06- ion 11T13:27:48.009Z","ActivityType":"SqlServer","AgentHost":"W7- VS17","UserName":"sa","Success":true,"TypeMask":512,"TypeMaskDesc":"Grant" ,"ClientAppName":"Microsoft SQL Server Management Studio - Doc_ID 813 47 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
Stealthbits Activity Monitor® Event JSON Example Query","ClientHostName":"W10","ClientIp":"127.0.0.1","DatabaseName":"Advent ureWorksLT2019","SqlText":"\r\n\r\nGRANT ALL ON [SalesLT].[Product] TO [sqluser3]; ","SqlObjects": [{"t":"U","db":"AdventureWorksLT2019","s":"saleslt","o":"Product","op":"Gran t"}]} Doc_ID 813 48 Copyright 2020 STEALTHBITS TECHNOLOGIES, INC. ALL RIGHTS RESERVED
You can also read