SQL Auditing and threat detection

Question

SQL Auditing and threat detection

NicHopper

SSCrazy Eights

Points: 9090
More actions
June 2, 2020 at 3:18 pm

#3759402

Hi all,
I wondered if anyone had any experience,words of wisdom, comments on a way to achieve threat detection with SQL Server 2017+.
I'm looking at how we can detect things like, an authorised user or activity out of normal hours, anything thats not a norm.
I can kind of doing this using audit specifications and triggering an action when a row is captured etc but I think its going to be a real pain to build and maintain and I'm sure there must be better methods or products out there that can do this, surely there must be.
Any comments are welcome,
Thanks,
Nic
Check out my blog http://www.sqlservercentral.com/articles/Best+Practices/61537/

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply

Mr. Brian Gale SSC-Insane Points: 24690 More actions · Answer 1

I am not aware of any tools that do this automatically for you, but that doesn't mean there are not any.

Where I work, we don't actively monitor for things like that. On our secure systems, we have an "active users" count on RedGate SQL Monitor and if the numbers look odd, we investigate it (like someone working overnight). But the every time that we have seen abnormalities, it is not a threat. It has always been someone forgetting to log out when they were done and leaving the connection open all night OR someone working outside their normal hours.

I think it also depends on how detailed you want the logging to be. Our system is OK with just having a count and we investigate if it seems odd, but you may want to know who and when.

Also, any tool that does this automatically for you is likely just creating database triggers or audits for you in the back end. In which case it may be better for you to make them as then you can control what is being monitored and logged.

The above is all just my opinion on what you should do.
As with all advice you find on a random internet forum - you shouldn't blindly follow it. Always test on a test server to see if there is negative side effects before making changes to live!
I recommend you NEVER run "random code" you found online on any system you care about UNLESS you understand and can verify the code OR you don't care if the code trashes your system.