Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This hunting query identifies user removed from the SecurityAdmin group of SQL Server. It relies on the SQLEvent KQL Parser function.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Microsoft Windows SQL Server Database Audit |
| ID | f35b879c-c836-4502-94f2-c76b7f06f02d |
| Tactics | Persistence, PrivilegeEscalation, Impact |
| Techniques | T1098, T1078, T1496 |
| Required Connectors | AzureMonitor(WindowsEventLogs) |
| Source | View on GitHub |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Hunting Queries · Back to Microsoft Windows SQL Server Database Audit