Azure SQL Database solution for sentinel

Azure SQL Database solution for sentinel Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.0.0
Author	Microsoft - support@microsoft.com
First Published	2022-08-19
Solution Folder	Azure SQL Database solution for sentinel
Marketplace	Azure Marketplace · Popularity: 🟢 High (80%)

The Azure SQL Database solution for Microsoft Sentinel enables you to stream Azure SQL database audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor Resource Diagnostics

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s):

Azure SQL Databases 🔶

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 3 table(s):

Table	Used By Connectors	Used By Content
`AzureActivity`	-	Workbooks
`AzureDiagnostics` 🔶	Azure SQL Databases	Analytics, Hunting, Workbooks
`Operation`	-	Workbooks

Internal Tables

The following 2 table(s) are used internally by this solution's content items:

Table	Used By Connectors	Used By Content
`SecurityAlert`	-	Workbooks
`SecurityIncident`	-	Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 19 content item(s):

Content Type	Count
Analytic Rules	10
Hunting Queries	8
Workbooks	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Affected rows stateful anomaly on database	Medium	Impact	`AzureDiagnostics`
Credential errors stateful anomaly on database	Medium	InitialAccess	`AzureDiagnostics`
Drop attempts stateful anomaly on database	Medium	InitialAccess	`AzureDiagnostics`
Execution attempts stateful anomaly on database	Medium	InitialAccess	`AzureDiagnostics`
Firewall errors stateful anomaly on database	Medium	InitialAccess	`AzureDiagnostics`
Firewall rule manipulation attempts stateful anomaly on database	Medium	InitialAccess	`AzureDiagnostics`
OLE object manipulation attempts stateful anomaly on database	Medium	InitialAccess	`AzureDiagnostics`
Outgoing connection attempts stateful anomaly on database	Medium	InitialAccess	`AzureDiagnostics`
Response rows stateful anomaly on database	Medium	Exfiltration	`AzureDiagnostics`
Syntax errors stateful anomaly on database	Medium	InitialAccess	`AzureDiagnostics`

Hunting Queries

Name	Tactics	Tables Used
Affected rows stateful anomaly on database - hunting query	Impact	`AzureDiagnostics`
Anomalous Query Execution Time	InitialAccess	`AzureDiagnostics`
Anomalous Query Execution Time	InitialAccess	`AzureDiagnostics`
Boolean Blind SQL Injection	InitialAccess	`AzureDiagnostics`
Prevalence Based SQL Query Size Anomaly	InitialAccess	`AzureDiagnostics`
Response rows stateful anomaly on database - hunting query	Exfiltration	`AzureDiagnostics`
Suspicious SQL Stored Procedures	InitialAccess	`AzureDiagnostics`
Time Based SQL Query Size Anomaly	InitialAccess	`AzureDiagnostics`

Workbooks

Name	Tables Used
Workbook-AzureSQLSecurity	`AzureActivity` `AzureDiagnostics` `Operation` Internal use: `SecurityAlert` `SecurityIncident`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.0	25-10-2024	Updated description of CreateUi and Analytic Rule