BuildingSecurity Audits with Extended Events
0 likes2,628 views
The document discusses using Extended Events in SQL Server to perform security audits. It describes the components of Extended Events including events, actions, predicates, targets, and packages. It then provides examples of how to build audits to track logins and queries, demonstrating how to capture useful security information without invasive monitoring. Templates are shown for login and query audits that can be directed to file, ring buffer, or event stream targets.
BuildingSecurity Audits with Extended Events
- 1. Building Security Audits with Extended Events
- 2. Jason Strate e: jstrate@pragmaticworks.com e: jasonstrate@gmail.com b: www.jasonstrate.com t: StrateSQL Resources jasonstrate.com/go/xevents Introduction MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 3. MAKING BUSINESS INTELLIGENT www.pragmaticworks.com • Founded 2008 by MSFT MVP Brian Knight • Focused on the MSFT SQL Server Platform • Provides services, training and software • MSFT/HP “go to” partner: • Gold Certified: o BI o Data Management o SQL Performance • Team led by multiple MVP’s • Offices throughout the US with Corporate HQ in Jacksonville, FL Pragmatic Works Company History
- 5. Do you know where your data is?
- 6. Do you know who is accessing your data?
- 9. Agenda Why Security Audits? Security Audit Components Building a Login Audit Building a Query Audit
- 10. Agenda Why Security Audits? Security Audit Components Building a Login Audit Building a Query Audit
- 11. Why Do We Need Security Audits? Regulations Corporate Policy Responsibilities
- 12. Most Important Reason Everyone Lies! Even Unicorns, While They Are Doing Their Jobs
- 14. Types of Audits Common Criteria Compliance C2 Audit Tracing SQL Audit Extended Events
- 15. Types of Audits Common Criteria Compliance C2 Audit Tracing SQL Audit Extended Events
- 16. CCC and C2 Concerns • Difficult to manage • Too much data • Too little control • Behavior changes in SQL Server MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 17. SQL Audit • Two audit levels – Server (Instance) – Database • Captures preset data • Sync or async targets – File – Security log – Application log • Standard and Enterprise – SQL Server 2012 MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 18. SQL Audit • No control on columns – Maybe too much data • Limited output formats – Maybe need in-flight aggregation • Need something less? MAKING BUSINESS INTELLIGENT www.pragmaticworks.com Perfect for tracking permissions changes, login creation, DBCC activity, backups and restores, etc.
- 19. Do you know SQL Audit?
- 20. SQL AUDIT Demo
- 21. “Lower” Solution • Less invasive • Temporary need • Scenarios… – What about Bob, the New DBA? – How often is Sally accessing the database? – What is the application logon/logout frequency? MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 22. Agenda Why Security Audits? Security Audit Components Building a Login Audit Building a Query Audit
- 23. Components Events Actions Predicates Targets Packages MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 24. Packages Events Actions Predicates Targets Packages • sqlserver • SecAudit MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 25. Events Events Actions Predicates Targets Packages • Logon • Logout • SQL Statement Starting • RPC Starting • Module Start • SQL Batch Starting MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 26. Actions Events Actions Predicates Targets Packages • User Name • Client App Name • Client Hostname • Database Id • Database Name • NT Username • Server Instance Name • Server Principal Name • SQL Text • User Name MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 27. PREDICATES Events Actions Predicates Targets Packages WHERE • Equal • Greater Than • Less Than • Not Equal • LIKE FILTERS • AND • OR MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 28. Targets Events Actions Predicates Targets Packages • File Target • Ring Buffer • Event Stream MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 29. Agenda Why Security Audits? Security Audit Components Building a Login Audit Building a Query Audit
- 30. Login Scenario • How often is a login being used? • When are logins occurring? • What applications are using a login? • What host has the most logins? MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 31. Login Audits • Connection Tracking template – Login – Logout – Connectivity Ring Buffer Recorded • Targets – File target for long term analysis – Ring buffer for shorty term activity – Event stream for real-time analysis MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 32. LOGIN AUDITS Demo MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 33. Agenda Why Security Audits? Security Audit Components Building a Permissions Audit Building a Query Audit
- 34. Query Audit • What queries did the new DBA run? • What is being run against XYZ database? • What is the developer doing that keeps causing SEVERITY 20 errors? MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 35. Query Audit • Query level auditing – RPC Starting – Module Start – SP Statement Starting – SQL Batch Starting – SQL Statement Starting • Targets – Same as Login Audit MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 36. QUERY AUDIT Demo MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 37. Any Questions?
- 38. Learn More About Extended Events MAKING BUSINESS INTELLIGENT www.pragmaticworks.com
- 39. Services Speed development through training, and rapid development services from Pragmatic Works. Products BI products to covert to a Microsoft BI platform and simplify development on the platform. Foundation Helping those who do not have the means to get into information technology achieve their dreams. For more information… Name: Jason Strate Email: jstrate@pragmaticworks.com Blog: www.jasonstrate.com Resource: jasonstrate.com/go/xevents