61072,61071 windows_eventchannel ^MSSQLSERVER$ ^Application$ no_full_log MSSQL: Windows Event Log event from SQL Server Application channel. windows 60001 windows_eventchannel ^MSSQLSERVER\$\w+$ ^Security$ no_full_log MSSQL: Windows Event Log event from SQL Server Audit (Security channel). windows 100000 ^18452$|^18454$ MSSQL: Successful login - User: $(win.eventdata.data) authentication_success,mssql_login, 100000 ^18456$ MSSQL: Failed login attempt - User: $(win.eventdata.data) authentication_failed,mssql_login, 100000,100006 ^33205$ action_id:LGIS MSSQL Audit: Login success - User: $(mssql.server_principal_name) from $(mssql.client_ip) authentication_success,mssql_audit, 100000,100006 ^33205$ action_id:LGIF MSSQL Audit: Login failed - User: $(mssql.server_principal_name) from $(mssql.client_ip) authentication_failed,mssql_audit, 100000,100006 ^33205$ action_id:(?!LGIS|LGIF)\w MSSQL Audit: DB action $(mssql.action_id) by $(mssql.server_principal_name) from $(mssql.client_ip) mssql_audit, 100003,100005 etc/lists/mssql_whitelist MSSQL: Authorized connection - User $(mssql.server_principal_name) from whitelisted IP $(mssql.client_ip) mssql_authorized,mssql_user_ip_match, 100003,100005 etc/lists/mssql_whitelist_ips MSSQL: Authorized connection from trusted IP $(mssql.client_ip) - User: $(mssql.server_principal_name) mssql_authorized,mssql_ip_only_match, 100003,100005 etc/lists/mssql_whitelist etc/lists/mssql_whitelist_ips MSSQL ALERT: UNAUTHORIZED connection - User $(mssql.server_principal_name) from $(mssql.client_ip) not in any whitelist mssql_unauthorized,invalid_connection,pci_dss_10.2.4,gdpr_IV_35.7.d,hipaa_164.312.b, alert_by_email 100003,100005 etc/lists/mssql_whitelist etc/lists/mssql_whitelist_ips MSSQL ALERT: User $(mssql.server_principal_name) connecting from UNAUTHORIZED IP $(mssql.client_ip) - possible credential theft mssql_unauthorized,credential_misuse,pci_dss_10.2.4, alert_by_email 100004 etc/lists/mssql_whitelist MSSQL: Failed login from authorized user $(mssql.server_principal_name) at $(mssql.client_ip) mssql_authorized,authentication_failed,mssql_auth_failed_trusted, 100004 etc/lists/mssql_whitelist_ips MSSQL: Failed login from trusted IP $(mssql.client_ip) - User: $(mssql.server_principal_name) mssql_authorized,authentication_failed,mssql_auth_failed_trusted, 100004 etc/lists/mssql_whitelist etc/lists/mssql_whitelist_ips MSSQL ALERT: Failed login from UNAUTHORIZED source - User $(mssql.server_principal_name) from $(mssql.client_ip) mssql_unauthorized,authentication_failed, 100002 etc/lists/mssql_whitelist MSSQL ALERT: Failed login from unknown user $(win.eventdata.data) - enable SQL Server Audit for IP-based whitelist mssql_unauthorized,authentication_failed, 100004 MSSQL CRITICAL: Burst of audit login failures on $(win.system.computer) - possible brute force mssql_unauthorized,mssql_brute_force,attack, alert_by_email mssql_auth_failed_trusted mssql.client_ip MSSQL: Multiple failed login attempts from authorized source $(mssql.client_ip) authentication_failures,mssql_brute_force, 100015 win.eventdata.data MSSQL: Multiple failed login attempts for user $(win.eventdata.data) authentication_failures,mssql_brute_force, 100010,100013 ^[Ss][Aa]$ MSSQL CRITICAL: SA account login from UNAUTHORIZED source $(mssql.client_ip) mssql_unauthorized,mssql_privileged,admin_login,attack, alert_by_email 100060,100062 ^[Ss][Aa]$ MSSQL WARNING: SA account login from $(mssql.client_ip) mssql_privileged,admin_login, 100010,100013 22:00 - 06:00 MSSQL CRITICAL: After-hours connection from UNAUTHORIZED source $(mssql.client_ip) mssql_unauthorized,mssql_afterhours,attack, alert_by_email 100060,100062 22:00 - 06:00 MSSQL: After-hours database connection from $(mssql.client_ip) - User: $(mssql.server_principal_name) mssql_afterhours,policy_violation, 100001 \[CLIENT: (?!127\.0\.0\.1|::1|192\.168\.1\.227|192\.168\.1\.69|<local machine>) MSSQL ALERT: Successful login from non-whitelisted source - mssql_unauthorized,authentication_success,pci_dss_10.2.4,gdpr_IV_35.7.d, alert_by_email 100000,100006 ^33205$ action_id:LGIS client_ip:(?!127\.0\.0\.1|::1|192\.168\.1\.227|192\.168\.1\.69) MSSQL ALERT: Audit successful login from non-whitelisted IP - mssql_unauthorized,authentication_success,pci_dss_10.2.4,gdpr_IV_35.7.d, alert_by_email 100001 (?i)(?:^(?:sa|administrator),\s.*\[CLIENT:\s(?!127\.0\.0\.1|::1|192\.168\.1\.69|192\.168\.1\.227|<local machine>))|(?:^domain\\sqladmin,\s.*\[CLIENT:\s(?!192\.168\.1\.69|192\.168\.1\.227)) MSSQL ALERT: Monitored user logged in from unexpected source: $(win.eventdata.data) mssql_unauthorized,authentication_success,credential_misuse,pci_dss_10.2.4,gdpr_IV_35.7.d, alert_by_email 100000,100006 ^33205$ action_id:LGIS (?i)(?:server_principal_name:(?:sa|administrator)\b.*client_ip:(?!127\.0\.0\.1|::1|192\.168\.1\.69|192\.168\.1\.227))|(?:server_principal_name:domain\\sqladmin\b.*client_ip:(?!192\.168\.1\.69|192\.168\.1\.227)) MSSQL ALERT: Monitored user logged in from unexpected IP mssql_unauthorized,authentication_success,credential_misuse,pci_dss_10.2.4,gdpr_IV_35.7.d, alert_by_email