Security

Is there a Splunk alert to identify when a database is copied?

Fritto73
New Member

I want to monitor any database copies that are made. Whether it be a backup or copy to flat file. Can Splunk capture this

Tags (2)
0 Karma

muebel
SplunkTrust
SplunkTrust

Yes, but it depends on auditing the copy. You have to be able to capture the event from either the filesystem or database perspective, and then index that event in Splunk. Once you do so, you can create an alert that runs a search to find that event, and if it does it will take an action (send an email).

0 Karma

Fritto73
New Member

What I am looking for is a security feature. If we can monitor for unauthorized copies or access.

0 Karma

jeffland
SplunkTrust
SplunkTrust

What database are we talking about? Assuming an external database on some server, the answer is simple: if you can make that database log its accesses to a file or some other output (e.g. syslog) that you can monitor with splunk, then you can definitely do that. The quesion as it is however is too vague to say how exactly.

0 Karma

Fritto73
New Member

SQL database. As it stands, there is no alert for any type of database copy made. From my research and knowledge there are to many variables to just log the "copy" of a database. If what I have been told is correct, someone who knows what they are doing can run a "select" statement and copy the DB without anyone else knowing. If that is true, then would splunk identify that?

0 Karma

jeffland
SplunkTrust
SplunkTrust

Splunk does not "identify" anything - you use splunk to identify stuff in data. MS Word does not write a letter for you, but you can use it to write and format one.
There are two basic steps you need to do: 1) get the data from the sources to monitor into splunk, 2) in that data, find pieces of evidence or run statistics that indicate a problem or violation.

A primary type of data ingested with splunk is log data. In oder to get you started with point one, you need to enable logging on your SQL database, i.e. make it write all (attempted) accesses and run queries to log files, and monitor those log files with splunk. You will then be able to search through those logs, and will have to identify what queries are not supposed to be run/which users are not supposed to log on/which IPs are not supposed to contact the server and all that. But bear in mind that everything you want to find out about has to be somewhere in that log data. If the logs only contain info on the queries run and not on who ran them from which ip, then you can not use that data in splunk.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...