Question & Answer
Question
What permissions do we need on a Microsoft SQL Server to allow QRadar to query the AuditData table?
Cause
Insufficient privileges granted to the SQL user account will cause QRadar to be unable to collect events from Microsoft SQL Server.
Answer
Before you begin: This configuration is for Microsoft SQL Server 2008 - 2012. Check your SQL Server documentation for other revisions.
The Microsoft SQL Server Log Source requires a user with the SELECT privilege on dbo.AuditData view. Per our DSM Guide, the dbo.AuditData view is created based on the sys.fn_get_audit_file function, which requires CONTROL SERVER permissions.
The fact that the user in question cannot query the view might be due to insufficient permissions granted.
For more information please reference the, Microsoft Library - sys.fn_get_audit_file .
The Microsoft SQL Server Log Source requires a user with the SELECT privilege on dbo.AuditData view. Per our DSM Guide, the dbo.AuditData view is created based on the sys.fn_get_audit_file function, which requires CONTROL SERVER permissions.
The fact that the user in question cannot query the view might be due to insufficient permissions granted.
For more information please reference the, Microsoft Library - sys.fn_get_audit_file .
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnfdAAC","label":"QRadar->Events->Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
03 April 2020
UID
swg21989944