ProTip: StealthAUDIT Data Views for SQL Sensitive Criteria Matches

ProTip: StealthAUDIT Data Views for SQL Sensitive Criteria Matches

With our focus on SQL Attacks this month, I naturally think about what data is being attacked as well.  StealthAUDIT’s SQL Solution Set can show us a lot of valuable information but collects even more than what immediately shows.

StealthAUDIT Data Views are my go-to tool when I want advanced manipulation of data for an export.  Some of these are immediately available, and others must be “turned on” for viewing in the job tree.

First, an analysis must be configured; here I’ve chosen the SQL_SensitiveDataScan job because it’s associated with the data I want.  Select Create Analysis from Jobs > SQL > 0.Collection > 1-SQL_SensitiveDataScan > Configure > Analysis

SQL. SQL Sensitive Data, SQL Scan, Microsoft SQL, Microsoft SQL Security

Here we’ll want to select SQLscripting from the Analysis Module drop-down, and then click the Configure Analysis option beside it:

SQL. SQL Sensitive Data, SQL Scan, Microsoft SQL, Microsoft SQL Security

(I typically use the description here to designate what table/view is being used)

Now populate the Table Name field with your desired table/view, place the table/view name within the brackets in the query below, click Save and Close and save then save the Analysis:

SQL. SQL Sensitive Data, SQL Scan, Microsoft SQL, Microsoft SQL Security

Here we don’t have to rerun the job because the data has already been processed, but we will need to refresh the job.  Simply right-click the job itself and select Refresh Tree:

SQL. SQL Sensitive Data, SQL Scan, Microsoft SQL, Microsoft SQL Security, Refresh Tree

Our table/view should now be available within the Results node of the job.  Once selected the data will be available in the right-hand pane for either immediate export (right-click the table/view name), or it can be sorted or filtered interactively.  The column headers can be dragged to the top for easy grouping, organized right to left as desired, or even removed; all without affecting the data itself:

SQL Results, SQL. SQL Sensitive Data, SQL Scan, Microsoft SQL, Microsoft SQL Security

Finally, the dropdowns on each column header provide advanced filtering capabilities.  Here I’ve grouped by criteria_name (sensitive data type), where I can see counts of each sensitive data type but would like to set a custom filter like so:

SQL. SQL Sensitive Data, SQL Scan, Microsoft SQL, Microsoft SQL Security, SQL Sensitive Data Classiication

This custom filter allows me to set the filter type, and can use ‘ _ ’ or ‘ * ’ for wildcarding:

SQL. SQL Sensitive Data, SQL Scan, Microsoft SQL, Microsoft SQL Security, SQL Sensitive Data Filter

To learn more about how STEALTHbits enables organizations to manage and secure Microsoft SQL servers and databases, click here: https://www.stealthbits.com/sql-server-auditing

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Jeff is a Senior Engineer at STEALTHbits.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.