Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Test Search

dhaertel
Path Finder
‎08-08-2018 08:30 AM

So I've been tasked to run a mock search as if one of our users breached a database just to see if we are collecting enough of and the correct data. By searching the user and the database server I'm presented almost 40K results, if I eliminate logoffs, that gets me down to 20K, still pretty large and it also doesn't seem to include much of anything in those returned results. Can anyone suggest some key search items to add to this search string to narrow down access, maybe even to the database level?

0 Karma
Reply

somesoni2
Revered Legend
‎08-08-2018 11:00 AM

What type of database logs you're collecting?

0 Karma
Reply

dhaertel
Path Finder
‎08-08-2018 11:11 AM

Apparently not enough, looks like just connection, initiation and that's about it. We have GreenSQL as a connection firewall but it's not returning anything other than application level access, so no user information is being gathered. We've also been unsuccessful in getting GreenSQL to pass activity logs to the Splunk server. We get the syslog data but not activity, so I'm forced to try and mesh them up manually, which hasn't been successful.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-08-2018 10:16 AM

What is your current search?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dhaertel
Path Finder
‎08-08-2018 11:09 AM

Right now it's just the SQL server host, user account, connection port, and successful and unsuccessful logons/logoffs. I can see the user access the SQL server but nothing past that. So apparently there's some auditing that needs to be enabled inside the SQL server in order to get to DB level access. This is new territory for me.

0 Karma
Reply

dhaertel
Path Finder
‎08-08-2018 11:14 AM

sqlxxxx1 src_user=jxxxxx NOT 18149 NOT SQLxxxxx1 "Server\MSSQL13.MSSQLSERVER\MSSQL\Binn\sqlservr.exe"

the NOT 18149 just eliminates the logoffs for narrowing purposes and the NOT SQLxxxxx1 just eliminates a particular server that the DBA uses to launch RDP from to get to the DB server, I'm looking at specifically when he launches/connects from his workstation. At this point, I'm ok with just knowing the logon events.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-09-2018 04:08 AM

IMO, it's important to know what users are doing after they log on. This is especially true for admins and other users with enhanced permissions.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dhaertel
Path Finder
‎08-09-2018 05:34 AM

That's true and if I can filter it further down I can add the logoffs back on but there are so many connection entries that I just needed to try and narrow the results down to see if I could get down to file level or database instance level.

Unfortunately, we're missing the auditing on the database side of things. We were supposed to be catching logs from our SQL firewall, GreenSQL but they were never setup correctly so I'm back to square one while we search for a replacement for GreenSQL.

We could setup the Microsoft auditing tool but everything hitting the database should be going through the firewall and it'll just increase the load on the server which is already over 90 percent RAM utilization with a 256 Gig load.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...