Onboarding MSSQL logs to Azure Sentinel-EventID:33205

Nafila Afrin 111 Reputation points
2021-09-03T01:33:24.627+00:00

Hi there!

While Onboarding MSSQL logs from on-prem server to Azure Sentinel, we could see most of the logs under the event id: 33205.

  1. Why all the logs are clubbed under Event id: 33205?
  2. Is there a way , we can filter out the neccessary event from the Eventid: 33205?

Thanks in Advance

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,065 questions
0 comments No comments
{count} votes

Accepted answer
  1. VipulSparsh-MSFT 16,256 Reputation points Microsoft Employee
    2021-09-07T04:46:11.163+00:00

    @Nafila Afrin Thanks for reaching out and apologies for delay on this.

    1) Yes the logs do show up with same Event ID in most case, 33205, this is by design as All SQL audit events are generated with Event ID 33205
    2) You can surely filter out the data with what you need on basis of actions something like this :

    SQLEvent
    | where LogonResult has "failed"
    | summarize count() by CurrentUser, Reason

    Check this for more customized KQL queries to understand how you can generate different insights :
    https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-sql-server-with-azure-sentinel/ba-p/1502960

    If you have a specific requirement which is not mentioned on that do let us know.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


1 additional answer

Sort by: Most helpful
  1. Nafila Afrin 111 Reputation points
    2021-09-07T05:29:39.327+00:00

    Hi Vipul,

    Thanks for the update. I would like to filter the events before we send the logs to sentinel using Azure Monitor agent DCR(custom x-path queries).

    Do we have any sample database x-path queries for filtering MSSQL,MYSQL and Oracle Database logs before we send the logs to sentinel using Azure monitor agent DCR?

    Thanks in avdvance!