Introduction
The tags beginning with db.mssql_snare identify events generated by Snare MSSQL.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as db.mssql_snare. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
Snare MSSQL |
|
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in this table:
db.mssql_snare.audit
Field | Type | Field transformation | Source field name | Extra fields |
|---|---|---|---|---|
eventdate |
|
|
| |
machine |
|
|
| |
snare_time |
|
|
| |
snare_hostname |
|
|
| |
snare_application_id |
|
|
| |
snare_log_type |
|
|
| |
snare_criticality |
|
|
| |
start_time |
|
|
| |
sql_version |
|
|
| |
event_id |
|
|
| |
event_class |
|
|
| |
spid |
|
|
| |
database_name |
| (isnull(database_name_aux) or isempty(database_name_aux)) ? action_database_name : database_name_aux | action_database_name database_name_aux | |
username |
| (isnull(username_aux) or isempty(username_aux)) ? action_username : username_aux | username_aux action_username | |
nt_username |
| (isnull(nt_username_aux) or isempty(nt_username_aux)) ? action_nt_username : nt_username_aux | nt_username_aux action_nt_username | |
application_name |
| (isnull(application_name_aux) or isempty(application_name_aux)) ? client_app_name : application_name_aux | application_name_aux client_app_name | |
transaction_id |
| (isnull(trans_id) or isempty(trans_id)) ? action_transaction_id : trans_id | trans_id action_transaction_id | |
event_hostname |
| (isnull(event_hostname_aux) or isempty(event_hostname_aux)) ? client_hostname : event_hostname_aux | event_hostname_aux client_hostname | |
event_timestamp |
|
|
| |
session_login_name |
|
|
| |
num_response_rows |
|
|
| |
sql_text |
|
|
| |
session_server_principal_name |
|
|
| |
session_nt_username |
|
|
| |
server_principal_name |
|
|
| |
action_server_instance_name |
|
|
| |
database_id |
|
|
| |
task_time |
|
|
| |
last_error |
|
|
| |
event_sequence |
|
|
| |
collect_system_time |
|
|
| |
attach_activity_id_xfer |
|
|
| |
attach_activity_id |
|
|
| |
resource_type |
|
|
| |
resource_type_text |
|
|
| |
mode |
|
|
| |
mode_text |
|
|
| |
owner_type |
|
|
| |
owner_type_text |
|
|
| |
object_id |
|
|
| |
associated_object_id |
|
|
| |
resource_description |
|
|
| |
object_name |
|
|
| |
object_type |
|
|
| |
object_type_text |
|
|
| |
state |
|
|
| |
state_text |
|
|
| |
ddl_phase |
|
|
| |
ddl_phase_text |
|
|
| |
duration |
|
|
| |
statement |
|
|
| |
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
| ✓ |