Hello,
We are using a SIEM solution (QRadar) to detect a data thief attempt (SQL DB Dump).
The customer is using a MSSQL 2008 (on WIN2012). The audit logs are sent to the QRadar slution. The goal is to detect data thief and then raise a security incident.
-
Question #1: How can we detect DB dump attempt (by analyzing the logs) or another way to stole a Data base?
Which logs are involved? -
Question #2: If we consider that such action (SQL DB dump,...) needs some times to be processed. I can monitor each SQL query duration,
if a query last too many time (let's say more than 1 minute), then QRadar will raise a security alert.
The question here, is how can I do to force MSSQL to log EACH SQL query? -
Questions #3: I know about the "SET STATISTICS TIME ON;" and the SET STATISTICS TIME OFF;
But I don't know how to enable it by default on each query (without the need to call these 2 functions in each query).
I also tested the "SQL Server Profiler", but I don't know if it is the bes solution.
I don't know if the profile may be executed as a service (no need to launch manually the Server Profiler).
Please don't hesitate to ask me additional questions if I am not clear.
Thanks for your help