We're setting up the SecOps Chronicle and want to monitor our SQL db for security events.
What logs should we send?
What SQL Logs Should Feed the SEIM?
For database logs, its great to consider collecting:
1) Authentication, Authorization and user/role/permissions Logs, which helps in detecting login anomalies, new db users, users added to privileged roles, brute-force attacks, credential stuffing, unauthorized access attempts, and tracking user activity sessions.
2) Data Definition Language (DDL) Logs, to audit the creation, modification and deletion of tables, stored procedures, functions, triggers, databases, etc.
3) Data Manipulation Language (DML) Logs, to audit SQL commands such as: SELECT, INSERT, UPDATE, DELETE statements, which helps in detecting transaction anomalies such as: if a threat actor would access or manipulate sensitive or critical tables, user suddenly accessing financial records they never touched before, large or unusual SELECT operations, especially on sensitive tables. This can be very high in volume, it could be limited or filtered to highly sensitive tables (e.g., user credentials, financial data, PII).
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.