Document toolboxDocument toolbox

db.mssql_snare

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Last updated: Oct 07, 2024
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with db.mssql_snare identify events generated by Snare MSSQL.

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as db.mssql_snare. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Snare MSSQL

db.mssql_snare.audit

db.mssql_snare.audit

For more information, read more About Devo tags.

How is the data sent to Devo?

Currently the latest version of the Snare Agent for MSSQL (Snare product) is used, and events are sent as Syslog and JSON (not the default Snare format).

Logs generated by Snare MSSQL must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rule below:

Rule for events of Snare MSSQL

  • Source port - Any available port

  • Sent without syslog tag - ✓

  • Target tag - db.mssql_snare.audit

  • Stop processing - ✓

Table structure

These are the fields displayed in this table:

db.mssql_snare.audit

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

machine

str

 

 

 

snare_time

str

 

 

 

snare_hostname

str

 

 

 

snare_application_id

str

 

 

 

snare_log_type

str

 

 

 

snare_criticality

str

 

 

 

start_time

timestamp

 

 

 

sql_version

str

 

 

 

event_id

str

 

 

 

event_class

str

 

 

 

spid

str

 

 

 

database_name

str

(isnull(database_name_aux) or isempty(database_name_aux)) ? action_database_name : database_name_aux

action_database_name

database_name_aux

 

username

str

(isnull(username_aux) or isempty(username_aux)) ? action_username : username_aux

username_aux

action_username

 

nt_username

str

(isnull(nt_username_aux) or isempty(nt_username_aux)) ? action_nt_username : nt_username_aux

nt_username_aux

action_nt_username

 

application_name

str

application_name_aux

client_app_name

 

transaction_id

str

trans_id

action_transaction_id

 

event_hostname

str

event_hostname_aux

client_hostname

 

event_timestamp

timestamp

 

 

 

session_login_name

str

 

 

 

num_response_rows

str

 

 

 

sql_text

str

 

 

 

session_server_principal_name

str

 

 

 

session_nt_username

str

 

 

 

server_principal_name

str

 

 

 

action_server_instance_name

str

 

 

 

database_id

str

 

 

 

task_time

str

 

 

 

last_error

str

 

 

 

event_sequence

str

 

 

 

collect_system_time

str

 

 

 

attach_activity_id_xfer

str

 

 

 

attach_activity_id

str

 

 

 

resource_type

str

 

 

 

resource_type_text

str

 

 

 

mode

str

 

 

 

mode_text

str

 

 

 

owner_type

str

 

 

 

owner_type_text

str

 

 

 

object_id

str

 

 

 

associated_object_id

str

 

 

 

resource_description

str

 

 

 

object_name

str

 

 

 

object_type

str

 

 

 

object_type_text

str

 

 

 

state

str

 

 

 

state_text

str

 

 

 

ddl_phase

str

 

 

 

ddl_phase_text

str

 

 

 

duration

str

 

 

 

statement

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

 

✓