Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a Splunk alert to identify when a database is copied?

Fritto73
New Member
‎07-01-2015 05:49 PM

I want to monitor any database copies that are made. Whether it be a backup or copy to flat file. Can Splunk capture this

Tags (2)
0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎07-02-2015 08:06 AM

Yes, but it depends on auditing the copy. You have to be able to capture the event from either the filesystem or database perspective, and then index that event in Splunk. Once you do so, you can create an alert that runs a search to find that event, and if it does it will take an action (send an email).

0 Karma
Reply

Fritto73
New Member
‎07-06-2015 04:50 PM

What I am looking for is a security feature. If we can monitor for unauthorized copies or access.

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎07-02-2015 12:53 AM

What database are we talking about? Assuming an external database on some server, the answer is simple: if you can make that database log its accesses to a file or some other output (e.g. syslog) that you can monitor with splunk, then you can definitely do that. The quesion as it is however is too vague to say how exactly.

0 Karma
Reply

Fritto73
New Member
‎07-06-2015 08:23 AM

SQL database. As it stands, there is no alert for any type of database copy made. From my research and knowledge there are to many variables to just log the "copy" of a database. If what I have been told is correct, someone who knows what they are doing can run a "select" statement and copy the DB without anyone else knowing. If that is true, then would splunk identify that?

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎07-06-2015 10:38 PM

Splunk does not "identify" anything - you use splunk to identify stuff in data. MS Word does not write a letter for you, but you can use it to write and format one.
There are two basic steps you need to do: 1) get the data from the sources to monitor into splunk, 2) in that data, find pieces of evidence or run statistics that indicate a problem or violation.

A primary type of data ingested with splunk is log data. In oder to get you started with point one, you need to enable logging on your SQL database, i.e. make it write all (attempted) accesses and run queries to log files, and monitor those log files with splunk. You will then be able to search through those logs, and will have to identify what queries are not supposed to be run/which users are not supposed to log on/which IPs are not supposed to contact the server and all that. But bear in mind that everything you want to find out about has to be somewhere in that log data. If the logs only contain info on the queries run and not on who ran them from which ip, then you can not use that data in splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...