Database Activity
- Steve Challans
The Database Activity Dashboard shows the log activity from the Snare SQL agent that collects and monitors user activity on Microsoft SQL Instances and database servers. The Snare SQL agent can monitor many key aspects of the database and collect logs that cover all user administrative activity as well as normal user activity. In general the agent is mostly used to monitor just the DBA or administrative activity on the database as the applications usually has role based access controls in place to control what a user can do. A DBA or system administrator can override any technical controls from an application level as they have direct access to the database. The can run any form of database update, delete, truncate tables, export data out of the database procedures and change content all outside of the control of the application. While most DBAs and sysdmins are in trusted roles, if their access is compromised then the attacker can use their credentials to perform nefarious activity. Understanding and knowing of what activity is approved and what is not on the database helps to detect any unauthorised changes or a loss of confidentiality to sensitive data. The key aspects of the dashboard are:
- MSSQL DB activity over time - this shows the general event rate over time. When spikes occur then then its easily viable on the graph.
- Login Activity - SQL Server can have either local SQL logins or use windows integrated authentication for login and access. This includes all login and logouts from the database level
- MSSQL DB Events - this shows a summary view of all event types coming from the monitored databases or SQL instances.
- SQL Objects - this will show the object details that are being monitored and the activity that was detected.
- Logs by System - this shows a percentage chart overview of all systems and which ones are generating more events than others.
- DB Activity - this chat shows which database is generating more activity than other databases. NOTE a database is contained within an SQL Instance and an Instance can run one or more databases
- DB User Activity - this chat shows which users are generating more activity than other users.
- Query Tracking - this chart shows the details of the actual SQL query that was being run on the system
- Account Admin - this charts shows the usage of the admin account or anyone who is using the SYSADMIN role in SQL Server. SQL Server logins added or removed, Windows rights used, passwords and properties are modified
- User Rights - this chart shows users that are using elevated user rights to perform a function. This includes internationalisation of when a user performs a execute login as another user.
- User Rights DML - This chart shows user rights when used by DML(Data Manipulation Language) : The SQL commands that deals with the manipulation of data present in database belong to DML or Data Manipulation Language and this includes most of the SQL statements.
Examples of DML:
- User Rights DDL - this chart shows user rights DDL or Data Definition Language actually consists of the SQL commands that can be used to define the database schema. It simply deals with descriptions of the database schema and is used to create and modify the structure of database objects in database.
Examples of DDL commands:
- CREATE – is used to create the database or its objects (like table, index, function, views, store procedure and triggers).
- DROP – is used to delete objects from the database.
- ALTER-is used to alter the structure of the database.
- TRUNCATE–is used to remove all records from a table, including all spaces allocated for the records are removed.
- COMMENT –is used to add comments to the data dictionary.
- RENAME –is used to rename an object existing in the database.
- Refer to the Snare MSSQL user guide for more details on all the event ids related to each function. https://customer.intersectalliance.com/api/download/release/322/guide_file
v2 Dashboards
