SQL SA Admin user enabled
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects scenarios where an attacker enables the SA admin account on the SQL Server instance.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "MSSQL Operation" AND (ACTIONID = "LGEA" AND CLASSTYPE = "SL" AND OBJECTNAME = "sa")
select Action1.USERNAME,Action1.MESSAGE,Action1.DOMAIN,Action1.HOSTNAME,Action1.STATEMENT,Action1.OBJECTNAME,Action1.SCHEMANAME,Action1.DATABASENAME,Action1.INSTANCENAME,Action1.CLASSTYPE,Action1.ACTIONID
Detection
Execution Mode
realtime
Log Sources
SQL Server


