microsoft_sql_dangerous_operations

[dan21san]

Summary of the Pull Request

Add a new rule about the critical transaction on MS SQL SERVER (as truncate or drop table).

Changelog

new: MSSQL Destructive Query

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[dan21san]

Log sample (blurred):

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="MSSQLSERVER$AUDIT" /> 
  <EventID Qualifiers="16384">33205</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>3</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x80a0000000000000</Keywords> 
  <TimeCreated SystemTime="2025-03-03T08:38:18.9887014Z" /> 
  <EventRecordID>1263721</EventRecordID> 
  <Correlation ActivityID="{...}" /> 
  <Execution ProcessID="756" ThreadID="880" /> 
  <Channel>Security</Channel> 
  <Computer>TESTSQL.testdomain</Computer> 
  <Security UserID="S-x-x-xx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx" /> 
  </System>
- <EventData>
  <Data>audit_schema_version:1 event_time:2025-03-05 08:38:18.0821929 sequence_number:1 action_id:DR succeeded:true is_column_permission:false session_id:70 server_principal_id:266 database_principal_id:1 target_server_principal_id:0 target_database_principal_id:0 object_id:1845581613 user_defined_event_id:0 transaction_id:175974 class_type:U duration_milliseconds:0 response_rows:0 affected_rows:0 client_tls_version:0 database_transaction_id:0 ledger_start_sequence_number:0 client_ip:local machine permission_bitmask:00000000000000000000000000000000 [...] statement:DROP TABLE dbo.tst1_Table_3 [...]</Data> 
  </EventData>
  </Event>

[dan21san]

Hi @phantinuss the suggested changes have been made! I also added the query for database drop (same logic).
As for the error, I don't understand how to solve it.

[phantinuss]

looks good to me.

The error is on our side. I will pull in the fixes when they are merged.