Security

How should we handle SQL Server audit data that reaches the wineventlog index?

danielbb
Motivator

For SQL Server audit information, we ended up sending the data to the wineventlog index as application events.

This data - EventCode=33205 should be visible only for the cyber/audit audience. How can we apply a different access to this data or should we route it to a different index? If so, how can we do it?

Labels (1)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
The only way to apply different security to certain data is to put that data in a separate index.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Splunk AI Assistant for SPL to Splunk Enterprise customers!

Howdy Splunk Community! It’s an exciting day here at Splunk – Splunk AI Assistant for SPL version 1.3.0 is now ...

Developer Spotlight with Qmulos

Qmulos: Building a Next-Level Cybersecurity Business through Splunk Apps Qmulos started as a scrappy startup ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...