Versions Compared

Version Old Version 1 New Version Current
Changes made by

Juan Tomás Alonso Nieto (Deactivated)

Carlos Prado Ventura

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

Introduction

The tags beginning with {2-level parser name} db.mssql_snare identify events generated by {product type} belonging to {Company-site} Snare MSSQL.

Valid tags and data tables 

The full tag must have {X} 3 levels. The first two are fixed as {2-level parser name}db.mssql_snare. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

{Service name}

{tag name}

{data table name}

{tag name}

{data table name}

Snare MSSQL

db.mssql_snare.audit

db.mssql_snare.audit

For more information, read more About Devo tags.

How is the data sent to Devo?

Currently the latest version of the Snare Agent for MSSQL (Snare product) is used, and events are sent as Syslog and JSON (not the default Snare format).

Logs generated by Snare MSSQL must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rule below:

Rule for events of Snare MSSQL

  • Source port - Any available port

  • Sent without syslog tag -

  • Target tag - db.mssql_snare.audit

  • Stop processing -

Table structure

These are the fields displayed in this table:

db.mssql_snare.audit

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

machine

str

 

 

snare_time

str

 

 

snare_hostname

str

 

 

snare_application_id

str

 

 

snare_log_type

str

 

 

snare_criticality

str

 

 

start_time

timestamp

 

 

sql_version

str

 

 

event_id

str

 

 

event_class

str

 

 

spid

str

 

 

database_name

str

Code Block
(isnull(database_name_aux) or isempty(database_name_aux)) ? action_database_name : database_name_aux

action_database_name

database_name_aux

username

str

Code Block
(isnull(username_aux) or isempty(username_aux)) ? action_username : username_aux

username_aux

action_username

nt_username

str

Code Block
(isnull(nt_username_aux) or isempty(nt_username_aux)) ? action_nt_username : nt_username_aux

nt_username_aux

action_nt_username

application_name

str

Code Block
(isnull(application_name_aux) or isempty(application_name_aux)) ? client_app_name : application_name_aux

application_name_aux

client_app_name

transaction_id

str

Code Block
(isnull(trans_id) or isempty(trans_id)) ? action_transaction_id : trans_id

trans_id

action_transaction_id

event_hostname

str

Code Block
(isnull(event_hostname_aux) or isempty(event_hostname_aux)) ? client_hostname : event_hostname_aux

event_hostname_aux

client_hostname

event_timestamp

timestamp

 

 

session_login_name

str

 

 

num_response_rows

str

 

 

sql_text

str

 

 

session_server_principal_name

str

 

 

session_nt_username

str

 

 

server_principal_name

str

 

 

action_server_instance_name

str

 

 

database_id

str

 

 

task_time

str

 

 

last_error

str

 

 

event_sequence

str

 

 

collect_system_time

str

 

 

attach_activity_id_xfer

str

 

 

attach_activity_id

str

 

 

resource_type

str

 

 

resource_type_text

str

 

 

mode

str

 

 

mode_text

str

 

 

owner_type

str

 

 

owner_type_text

str

 

 

object_id

str

 

 

associated_object_id

str

 

 

resource_description

str

 

 

object_name

str

 

 

object_type

str

 

 

object_type_text

str

 

 

state

str

 

 

state_text

str

 

 

ddl_phase

str

 

 

ddl_phase_text

str

 

 

duration

str

 

 

statement

str

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str