I’d like to be able to monitor and trigger alerts for SQL sys admin changes, ie users getting promoted to Sysadmin acocunts, new users being created on SQL, password change etc.
I have configured SQL 2017 std to audit events following the Rapid 7 documentation, the data collection is working well in Insight IDR and i can see events are being recorded. Unfortunately all events being recorded appear to have the same event code 33205. I have created new users, changed password etc , Insight IDR is collecting the data however lacking any detail therefore triggering alerts would result in a lot of false positives.
Has anyone configured Insight IDR to audit SQL events that could indicate someone is tampering/hacking the DB? Can someone point me in the right direction?
Many thanks Sam