Security

Is there a Splunk alert to identify when a database is copied?

Fritto73
New Member

I want to monitor any database copies that are made. Whether it be a backup or copy to flat file. Can Splunk capture this

Tags (2)
0 Karma

muebel
SplunkTrust
SplunkTrust

Yes, but it depends on auditing the copy. You have to be able to capture the event from either the filesystem or database perspective, and then index that event in Splunk. Once you do so, you can create an alert that runs a search to find that event, and if it does it will take an action (send an email).

0 Karma

Fritto73
New Member

What I am looking for is a security feature. If we can monitor for unauthorized copies or access.

0 Karma

jeffland
SplunkTrust
SplunkTrust

What database are we talking about? Assuming an external database on some server, the answer is simple: if you can make that database log its accesses to a file or some other output (e.g. syslog) that you can monitor with splunk, then you can definitely do that. The quesion as it is however is too vague to say how exactly.

0 Karma

Fritto73
New Member

SQL database. As it stands, there is no alert for any type of database copy made. From my research and knowledge there are to many variables to just log the "copy" of a database. If what I have been told is correct, someone who knows what they are doing can run a "select" statement and copy the DB without anyone else knowing. If that is true, then would splunk identify that?

0 Karma

jeffland
SplunkTrust
SplunkTrust

Splunk does not "identify" anything - you use splunk to identify stuff in data. MS Word does not write a letter for you, but you can use it to write and format one.
There are two basic steps you need to do: 1) get the data from the sources to monitor into splunk, 2) in that data, find pieces of evidence or run statistics that indicate a problem or violation.

A primary type of data ingested with splunk is log data. In oder to get you started with point one, you need to enable logging on your SQL database, i.e. make it write all (attempted) accesses and run queries to log files, and monitor those log files with splunk. You will then be able to search through those logs, and will have to identify what queries are not supposed to be run/which users are not supposed to log on/which IPs are not supposed to contact the server and all that. But bear in mind that everything you want to find out about has to be somewhere in that log data. If the logs only contain info on the queries run and not on who ran them from which ip, then you can not use that data in splunk.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...