This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
areebasad
Beginner
Beginner
‎2012-07-31 05:19 AM

SQL Server Alert

I want to monitor the tables of an SQL Server Database, i mean if some one made changes on a spicific table i want an alert to send me an email. What event should i monitor?
0 Likes
Reply
3 Replies
RSAAdmin
Beginner
Beginner
‎2012-09-18 11:14 PM

Hello areeb,

 

It is very difficult to determine the message ID that should be monitored in this way.  My suggestion would be to create a Test Case.  Create a spreadsheet with the following column headings and fill in the information needed to perform the test:

 

Test Criteria: Determine that message id used when a change is made to a SQL table

Test Target: SQL table that will be modified

Test Input: 'username' that will be used to create events that indicate a table has been changed in SQL

Test Time: Date/Time when the action will be tested

 

Once the above is in place you can perform a realtime analysis using filters to show only events taking place on the specified table, by the specified user, during the timeframe that was decided upon.  Then you can see exactly what message ID was used for those actions.

 

After the Message ID is determined you can create alerts or reports to show when those activities take place.

 

Good luck,

Steve

0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2012-09-27 08:00 AM

Hello Areeb,

I do pull Report for SQL Changes using the query below

 

DeviceAddress in (select paddr from device_list where dtype=65 AND DeviceAddress=${DatabaseName}  ) AND( ReferenceID  IN  ('104','108','109','110','111','112','115','117','118','128','129''177','175') AND (UserName NOT LIKE 'audit_reader'))

 

$Database is a variable I use for Different Database Servers I have.

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.itcim.doc%2Ftcim85_instal...

 

The above IBM link was very handy to chose whihc event ID I should monitor

 

Hope this helps.

 

Regards

Afeef

0 Likes
Reply
mrbeanus
Beginner
Beginner
In response to RSAAdmin
‎2012-10-13 06:06 AM

Does anyone have own best practice list of MSSQL event audit message? I'm asking cause in IBM reference there is a lot of messages which duplicate himself.

 

For example problem is when someone create database then you get several MSSQL events, question is which one is the most best for us.

 

Anyone tried to assign sysadmin role for a user? This is event 108 and in parsed DATABASE table there is no difference when administrator add role sysadmin to user and remove this role. So you can't create correlation rule for adding this role to some user ;-/

 

 

Two event are the same... in eventviewer there is a difference

When you add role sysadmin to user there is information about database = dbo

When you remove this role from user there is no notice about database = dbo

 

This is only one difference. Problem is when message is parsed into DATABASE table, this two changes(add / remove)  looks the same. In parsed DATABASE table there is no any information about database "dbo"

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.