Forum Discussion
raisaurabh777
Microsoft
Jan 25, 2019Azure Security Center Recommendations Log Analytics Query syntax
Hi
My customer wants to write custom Log Search Queries (in Log Analytics) for Azure SQL for the following Scenarios:
• Log failures, manual logging shut down and attempts to purge
• Attempts to access OS functionality via the database
• Known attack profiles, such as Buffer overflow, Denial of Service, SQL inject
• Use of the Application ID (ApplID) from a source other than the defined owner Application location (based on host name or IP address of App / Reporting Server)
Please Note: I know Advanced Threat Protection covers some of the scenarios mentioned here e.g. detecting SQL Injections, etc… But the customer wants custom queries for all of these scenarios.
I have the following Questions:
• Which AUDIT GROUPS should I enable to capture more Logs(apart from the 3 that are enabled by default) so that I can write queries for the above use cases using KQL on the logs collected ?
• If we keep ATP aside and assume that SQL Server is running on a VM in Azure, how would we achieve the above use cases based on the logs collected via the MMA agent installed on the VM ?
• The customer is using these custom queries to get appropriate result set and in turn to create PowerBI Dashboards which they want to share with their customers, how can I get ATP data/ recommendation outside the Azure Portal so that customer can create visualizations on top it and share with it’s customers.
• Please Note: I have seen Azure Security Centre REST API Documentation and I know I can pull Recommendations and Tasks using these APIs, but that’s not what the customer is looking for. Customer wants the underlying data and a custom query on top it which detects the security incident. I know these incidents are generated by complex ML algorithm running under the hood, but I hope I was able to put across the customer’s expectation clearly.
Please let me know your inputs on what’s possible and pointers on how to achieve it.
No RepliesBe the first to reply