2_ds_microsoft_mssql.md

Use-Case	Activity Type (Legacy Event Type)/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	endpoint-login:success (authentication-successful) ↳microsoft-mssql-str-endpoint-login-logon database-login:success (database-login) ↳microsoft-mssql-leef-database-login-success-18454 ↳microsoft-mssql-leef-database-login-success-18453 ↳microsoft-mssql-kv-database-login-success-14 ↳microsoft-mssql-xml-database-login-success-33205 ↳microsoft-mssql-cef-database-login-success-loginsucceeded ↳microsoft-mssql-kv-database-login-success-impersonate ↳microsoft-mssql-str-database-login-success-18454 ↳microsoft-mssql-kv-database-login-success-18453 ↳microsoft-mssql-str-database-login-success-18453 ↳microsoft-mssql-kv-database-login-success-lgis ↳microsoft-mssql-kv-database-login-success-18454 ↳microsoft-mssql-cef-database-login-success-loginsucceded ↳microsoft-mssql-cef-database-login-success-authentication ↳microsoft-mssql-xml-database-login-qualifiers ↳microsoft-mssql-xml-database-login-audit ↳microsoft-mssql-kv-database-login-fail-sqlagent ↳microsoft-mssql-json-database-activity-success-dbactivity database-query:success (database-query) ↳microsoft-mssql-json-database-activity-success-dbactivity ↳microsoft-mssql-json-database-query-success-databasequery ↳microsoft-mssql-xml-database-login-qualifiers ↳microsoft-mssql-kv-database-query-success-sl ↳microsoft-mssql-json-database-query-success-sqlserver app-login:fail (failed-app-login) ↳microsoft-mssql-kv-app-login-fail-18456 ↳microsoft-mssql-json-app-login-fail-loginfailedforuser-1 ↳microsoft-mssql-json-app-login-fail-loginfailedforuser network-session:success (process-network) ↳microsoft-defenderep-cef-network-session-devicenetworkevents ↳microsoft-defenderep-cef-network-session-devicenetworkevents	T1078 - Valid Accounts T1133 - External Remote Services T1213 - Data from Information Repositories TA0002 - TA0002	27 Rules 15 Models
Data Access	database-login:success (database-login) ↳microsoft-mssql-leef-database-login-success-18454 ↳microsoft-mssql-leef-database-login-success-18453 ↳microsoft-mssql-kv-database-login-success-14 ↳microsoft-mssql-xml-database-login-success-33205 ↳microsoft-mssql-cef-database-login-success-loginsucceeded ↳microsoft-mssql-kv-database-login-success-impersonate ↳microsoft-mssql-str-database-login-success-18454 ↳microsoft-mssql-kv-database-login-success-18453 ↳microsoft-mssql-str-database-login-success-18453 ↳microsoft-mssql-kv-database-login-success-lgis ↳microsoft-mssql-kv-database-login-success-18454 ↳microsoft-mssql-cef-database-login-success-loginsucceded ↳microsoft-mssql-cef-database-login-success-authentication ↳microsoft-mssql-xml-database-login-qualifiers ↳microsoft-mssql-xml-database-login-audit ↳microsoft-mssql-kv-database-login-fail-sqlagent ↳microsoft-mssql-json-database-activity-success-dbactivity database-query:success (database-query) ↳microsoft-mssql-json-database-activity-success-dbactivity ↳microsoft-mssql-json-database-query-success-databasequery ↳microsoft-mssql-xml-database-login-qualifiers ↳microsoft-mssql-kv-database-query-success-sl ↳microsoft-mssql-json-database-query-success-sqlserver app-login:fail (failed-app-login) ↳microsoft-mssql-kv-app-login-fail-18456 ↳microsoft-mssql-json-app-login-fail-loginfailedforuser-1 ↳microsoft-mssql-json-app-login-fail-loginfailedforuser	T1078 - Valid Accounts T1213 - Data from Information Repositories	19 Rules 10 Models
Lateral Movement	endpoint-login:fail (authentication-failed) ↳microsoft-mssql-str-endpoint-login-logon endpoint-login:success (authentication-successful) ↳microsoft-mssql-str-endpoint-login-logon app-login:fail (failed-app-login) ↳microsoft-mssql-kv-app-login-fail-18456 ↳microsoft-mssql-json-app-login-fail-loginfailedforuser-1 ↳microsoft-mssql-json-app-login-fail-loginfailedforuser network-session:success (process-network) ↳microsoft-defenderep-cef-network-session-devicenetworkevents ↳microsoft-defenderep-cef-network-session-devicenetworkevents network-session:fail (process-network-failed) ↳microsoft-defenderep-cef-network-session-devicenetworkevents ↳microsoft-defenderep-json-network-session-fail-devicenetworkevents	T1071 - Application Layer Protocol T1078 - Valid Accounts T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application TA0008 - TA0008 TA0010 - TA0010 TA0011 - TA0011	45 Rules 19 Models
Malware	endpoint-login:success (authentication-successful) ↳microsoft-mssql-str-endpoint-login-logon user-privilege-use:success (privileged-object-access) ↳microsoft-windows-kv-user-privilege-use-success-578 ↳microsoft-evsecurity-kv-user-privilege-use-success-wls network-session:success (process-network) ↳microsoft-defenderep-cef-network-session-devicenetworkevents ↳microsoft-defenderep-cef-network-session-devicenetworkevents network-session:fail (process-network-failed) ↳microsoft-defenderep-cef-network-session-devicenetworkevents ↳microsoft-defenderep-json-network-session-fail-devicenetworkevents	T1053 - Scheduled Task/Job T1053.003 - T1053.003 T1078 - Valid Accounts T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002 TA0010 - TA0010 TA0011 - TA0011	27 Rules 7 Models
Privilege Abuse	app-login:fail (failed-app-login) ↳microsoft-mssql-kv-app-login-fail-18456 ↳microsoft-mssql-json-app-login-fail-loginfailedforuser-1 ↳microsoft-mssql-json-app-login-fail-loginfailedforuser group-member-add:success (member-added) ↳microsoft-defenderep-cef-group-member-add-success-accountadded group-member-remove:success (member-removed) ↳microsoft-defenderep-cef-group-member-remove-success-accountremoved	T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account	25 Rules 12 Models
Ransomware	endpoint-login:fail (authentication-failed) ↳microsoft-mssql-str-endpoint-login-logon endpoint-login:success (authentication-successful) ↳microsoft-mssql-str-endpoint-login-logon app-login:fail (failed-app-login) ↳microsoft-mssql-kv-app-login-fail-18456 ↳microsoft-mssql-json-app-login-fail-loginfailedforuser-1 ↳microsoft-mssql-json-app-login-fail-loginfailedforuser	T1078 - Valid Accounts	1 Rules