| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
Introduction
The tags beginning with db.mssql identify events generated by Microsoft SQL Server.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as db.mssql. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
...
Technology
...
Brand
...
Type
...
Subtype
...
db
...
mssql
...
- type1
- type2
...
...
- subype1
- subtype2
...
These are the valid tags and corresponding data tables that will receive the parsers' data:
...
Tag
...
Data table
...
How is the data sent to Devo?
Use the info in the How is the data sent to Devo? section of the internal doc to fill this section with the required method
Event source → Relay → Devo
Logs generated by Cisco must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:
Add all the rules following the format of the example below:
Relay rule 1 - Versa NGFW Access
Source Port → 13030
Source Data → (.*)accessLog, applianceName=(.*)
Target Tag → network.versa.ngfw.access
Select the Stop Processing and Sent without syslog tag checkboxes
Relay rule 2 - name
...
Event source → Collector → Devo
To send logs to these tables, Devo provides a collector that you can download and use to send the required events to your Devo domain. You can download the collector and learn how to use it in Collector article.
Logs generated by ... are forwarded to Devo using a dedicated collector. Contact us if you need to forward these events to your Devo domain so we can guide you through the process. Use this if the collector is not documented
Other (Syslog):
You can forward logs generated by Company using any Syslog drain (for example, Syslog-ng). Learn more about how to send Company logs and their structure here.
Log samples
The following are sample logs sent to each of the db.mssql data tables. Also, find how the information will be parsed in your data table under each sample log.
| Note | ||
|---|---|---|
| ||
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns. |
db.mssql.events
| Code Block |
|---|
2021-09-20 09:59:21.266 localhost=127.0.0.1 db.mssql.events.na.app.logs.host[asdfg1233].ip[10.000.144.00]:{"EventTime":"2021-09-20 05:59:20","Hostname":"cpcwvibmosdp01.americas.manulife.net","Keywords":45035996273704960,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":33205,"SourceName":"MSSQLSERVER","Task":4,"RecordNumber":1375475280,"ProcessID":0,"ThreadID":0,"Channel":"Application","Message":"Audit event: audit_schema_version:1\nevent_time:2021-09-20 09:59:20.4456064\nsequence_number:1\naction_id:LGIS\nsucceeded:true\nis_column_permission:false\nsession_id:198\nserver_principal_id:275\ndatabase_principal_id:0\ntarget_server_principal_id:0\ntarget_database_principal_id:0\nobject_id:0\nuser_defined_event_id:0\ntransaction_id:0\nclass_type:LX\nduration_milliseconds:0\nresponse_rows:0\naffected_rows:0\nclient_ip:10.101.128.16\npermission_bitmask:00000000000000000000000000000000\nsequence_group_id:D1496F9F-948B-463B-8FF4-B23D88E1E9F7\nsession_server_principal_name:MLIDDOMAIN1\\npm_admin\nserver_principal_name:MLIDDOMAIN1\\npm_admin\nserver_principal_sid:010500000000000515000000d8396e0063269a4305684862f9080b00\ndatabase_principal_name:\ntarget_server_principal_name:\ntarget_server_principal_sid:\ntarget_database_principal_name:\nserver_instance_name:CPCWVIBMOSDP01\ndatabase_name:\nschema_name:\nobject_name:\nstatement:-- network protocol: TCP/IP\r\nset quoted_identifier on\r\nset arithabort off\r\nset numeric_roundabort off\r\nset ansi_warnings on\r\nset ansi_padding on\r\nset ansi_nulls on\r\nset concat_null_yields_null on\r\nset cursor_close_on_commit off\r\nset implicit_transactions off\r\nset language us_english\r\nset dateformat mdy\r\nset datefirst 7\r\nset transaction isolation level read committed\r\n\nadditional_information:<action_info xmlns=\"http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data\"><pooled_connection>1</pooled_connection><client_options>0x28000020</client_options><client_options1>0x0001f438</client_options1><connect_options>0x00000000</connect_options><packet_data_size>4096</packet_data_size><address>10.101.128.16</address><is_dac>0</is_dac></action_info>\nuser_defined_information:\napplication_name:SolarWinds.InformationService.ServiceV3@domain-Orion\n.","Category":"Logon","EventReceivedTime":"2021-09-20 05:59:20","SourceModuleName":"eventlog_sql","SourceModuleType":"im_msvistalog","SyslogFacilityValue":13,"SyslogSeverityValue":5,"cost_center":"0000","configuration_item":"CI00000584436","team_email":"ibmsqldba@test.com"} |
And this is how the log would be parsed:
...
Field
...
Value
...
Type
...
Extra field
...
Source field name
...
eventdate
...
2021-09-20 09:59:21.266
...
timestamp
...
environment
...
na
...
str
...
venv
...
application
...
app
...
str
...
vapp
...
clon
...
logs
...
str
...
vclon
...
hostname
...
cpcwvibmosdp01.americas.manulife.net
...
str
...
user
...
None
...
str
...
eventTime
...
2021-09-20 05:59:20.0
...
timestamp
...
hostname2
...
cpcwvibmosdp01.americas.manulife.net
...
str
...
keywords
...
45035996273704960
...
int8
...
eventType
...
AUDIT_SUCCESS
...
str
...
severityValue
...
2
...
int4
...
severity
...
INFO
...
str
...
eventID
...
33205
...
int4
...
sourceName
...
MSSQLSERVER
...
str
...
task
...
4
...
int4
...
recordNumber
...
1375475280
...
int8
...
processID
...
0
...
int4
...
threadID
...
0
...
int4
...
channel
...
Application
...
str
...
message
...
Audit event: audit_schema_version:1 event_time:2021-09-20 09:59:20.4456064 sequence_number:1 action_id:LGIS succeeded:true is_column_permission:false session_id:198 server_principal_id:275 database_principal_id:0 target_server_principal_id:0 target_database_principal_id:0 object_id:0 user_defined_event_id:0 transaction_id:0 class_type:LX duration_milliseconds:0 response_rows:0 affected_rows:0 client_ip:10.101.128.16 permission_bitmask:00000000000000000000000000000000 sequence_group_id:D1496F9F-948B-463B-8FF4-B23D88E1E9F7 session_server_principal_name:MLIDDOMAIN1\npm_admin server_principal_name:MLIDDOMAIN1\npm_admin server_principal_sid:010500000000000515000000d8396e0063269a4305684862f9080b00 database_principal_name: target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:CPCWVIBMOSDP01 database_name: schema_name: object_name: statement:-- network protocol: TCP/IP set quoted_identifier on set arithabort off set numeric_roundabort off set ansi_warnings on set ansi_padding on set ansi_nulls on set concat_null_yields_null on set cursor_close_on_commit off set implicit_transactions off set language us_english set dateformat mdy set datefirst 7 set transaction isolation level read committed additional_information:<action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data">10x280000200x0001f4380x000000004096
...
0> user_defined_information: application_name:SolarWinds.InformationService.ServiceV3@domain-Orion .
...
str
...
category
...
Logon
...
str
...
eventReceivedTime
...
2021-09-20 05:59:20.0
...
timestamp
...
sourceModuleName
...
eventlog_sql
...
str
...
sourceModuleType
...
im_msvistalog
...
str
...
syslogFacilityValue
...
13
...
int4
...
syslogSeverityValue
...
5
...
int4
...
costCenter
...
0000
...
str
...
configurationItem
...
CI00000584436
...
str
...
teamEmail
...
ibmsqldba@test.com
...
str
...
hostchain
...
cpcwvibmosdp01.americas.manulife.net=20.48.135.196
...
str
...
✓
...
tag
...
db.mssql.events.na.app.logs.host[cpcwvibmosdp01].ip[10.201.144.93]
...
str
...
✓
...
rawMessage
...
{"EventTime":"2021-09-20 05:59:20","Hostname":"cpcwvibmosdp01.americas.manulife.net","Keywords":45035996273704960,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":33205,"SourceName":"MSSQLSERVER","Task":4,"RecordNumber":1375475280,"ProcessID":0,"ThreadID":0,"Channel":"Application","Message":"Audit event: audit_schema_version:1\nevent_time:2021-09-20 09:59:20.4456064\nsequence_number:1\naction_id:LGIS\nsucceeded:true\nis_column_permission:false\nsession_id:198\nserver_principal_id:275\ndatabase_principal_id:0\ntarget_server_principal_id:0\ntarget_database_principal_id:0\nobject_id:0\nuser_defined_event_id:0\ntransaction_id:0\nclass_type:LX\nduration_milliseconds:0\nresponse_rows:0\naffected_rows:0\nclient_ip:10.101.128.16\npermission_bitmask:00000000000000000000000000000000\nsequence_group_id:D1496F9F-948B-463B-8FF4-B23D88E1E9F7\nsession_server_principal_name:MLIDDOMAIN1\\npm_admin\nserver_principal_name:MLIDDOMAIN1\\npm_admin\nserver_principal_sid:010500000000000515000000d8396e0063269a4305684862f9080b00\ndatabase_principal_name:\ntarget_server_principal_name:\ntarget_server_principal_sid:\ntarget_database_principal_name:\nserver_instance_name:CPCWVIBMOSDP01\ndatabase_name:\nschema_name:\nobject_name:\nstatement:-- network protocol: TCP/IP\r\nset quoted_identifier on\r\nset arithabort off\r\nset numeric_roundabort off\r\nset ansi_warnings on\r\nset ansi_padding on\r\nset ansi_nulls on\r\nset concat_null_yields_null on\r\nset cursor_close_on_commit off\r\nset implicit_transactions off\r\nset language us_english\r\nset dateformat mdy\r\nset datefirst 7\r\nset transaction isolation level read committed\r\n\nadditional_information:<action_info xmlns=\"http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data\">10x280000200x0001f4380x000000004096
...
0\nuser_defined_information:\napplication_name:SolarWinds.InformationService.ServiceV3@domain-Orion\n.","Category":"Logon","EventReceivedTime":"2021-09-20 05:59:20","SourceModuleName":"eventlog_sql","SourceModuleType":"im_msvistalog","SyslogFacilityValue":13,"SyslogSeverityValue":5,"cost_center":"0000","configuration_item":"CI00000584436","team_email":"ibmsqldba@test.com"}
...
str
...
Overview
ThreatQ (Threat Quotient) is a Threat Intelligence Platform that improves security operations by fusing data sources, tools, and teams to accelerate threat detection and response. ThreatQ’s data-driven security operations platform helps teams prioritize, automate and collaborate on security incidents; enables more focused decision making; and maximizes limited resources by integrating existing processes and technologies into a unified workspace.
The Devo ThreatQ collector retrieves data from its REST API. Particularly, it retrieves events by querying them using their update date as a filter.
Data source description
Listed in the table below are the available events that this collector retrieves. The related remote endpoint for all the data sources listed is the following:
https:/{api_base_url}/api/events/query?limit={limit}&offset={offset}&sort=updated_at
Data source | Table | Description | Available from release |
|---|---|---|---|
Spearphish |
| A spearphish is an email or electronic communications scam targeted toward a specific individual, organization, or business. Although often intended to steal data for malicious purposes. | v1.0.0 |
Watering Hole |
| A watering hole is a targeted attack designed to compromise users within a specific industry or group of users by infecting websites they typically visit and luring them to a malicious site. | v1.0.0 |
SQL Injection Attack |
| An SQL injection is a type of cyber attack in which a hacker uses a piece of SQL (Structured Query Language) code to manipulate a database and gain access to potentially valuable information. | v1.0.0 |
DoS Attack |
| A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. | v1.0.0 |
Malware |
| A Malware is intrusive software that is designed to damage and destroy computers and computer systems. | v1.0.0 |
Watchlist |
| Watchlists are lists of values that you can then use to filter information in your dashboard views and reports or as a condition that triggers correlation rules or alarms. | v1.0.0 |
Command and Control |
| A command-and-control server is a computer-controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network. | v1.0.0 |
Anonymization |
| Anonymization is a data processing technique that removes or modifies personally identifiable information | v1.0.0 |
Exfiltration |
| Exfiltration is a technique used by malicious actors to target, copy, and transfer sensitive data. | v1.0.0 |
Host Characteristics |
| A host is any device that can permit access to a network via the user interface. | v1.0.0 |
Compromised PKI Certificate |
| A Public Key Infrastructure certificate is compromised when its value has been disclosed to an unauthorized person or an unauthorized person has had access to it. | v1.0.0 |
Login Compromise |
| A login compromise is an account login performed by a person not authorized to use the account. | v1.0.0 |
Incident |
| An incident is an event that is not part of normal operations that disrupts operational processes. An incident may involve the failure of a feature or service that should have been delivered. | v1.0.0 |
Sighting |
| Sighting tracks who and what is the target, how attacks are carried out, and to track trends in attack behavior. | v1.0.0 |
User-Defined event type |
| A user can also create their own event type. | v1.0.0 |
Check some additional information on the following websites:
- ThreatQ Platform
- ThreatQ Help Center (requires authentication, provided when you acquire a ThreatQ license)
- ThreatQ REST API’s Authentication (requires authentication, provided when you acquire a ThreatQ license)
- ThreatQ REST API’s Event Search endpoint (requires authentication, provided when you acquire a ThreatQ license)
Vendor setup
The ThreatQ Collector works over the ThreatQ’s instance API. During the installation process of the ThreatQ instance, a new user will be created. These credentials or some new ones along with the instance address will be the details needed to configure the Devo collector.
| Info |
|---|
The full installation guide details can be found in ThreatQ’s official documentation (authentication required). In this article, only a few steps to get the instance configured are referenced, so we recommend visiting the official sources for a more detailed explanation. |
Devo collector features
Feature | Details |
|---|---|
Allow parallel downloading ( | Not allowed |
Running environments | Collector server, On-premise |
Populated events | Standard events |
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to download data with basic configuration are defined below.
Setting | Details |
|---|---|
| Username to authenticate the service. It must belong to an existing user or the initial one created during the setup. |
| Password to authenticate the service. It must belong to an existing user or the initial one created during the setup. |
| This should be enabled if the ThreatQ's instance has a self-signed certificate. The usual installation steps do not include certificate signing, so this usually should be |
| This parameter defines the URL where the ThreatQ API is available. It has the form of |
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).