Detecting Connection Timeouts

2,943 0
Connection timeouts can be difficult to troubleshoot. It’s sometimes not even apparent that a timeout has occurred. However, the connectivity_ring_buffer_recorded Extended Event can show that this has happened. This is a debug event within Extended Events, so some caution is necessary in its use. Microsoft can change the debug events without warning. You can use […] Read more

Detecting Connection Timeouts

4,687 0
Connection timeouts can be difficult to troubleshoot. It’s sometimes not even apparent that a timeout has occurred. However, the connectivity_ring_buffer_recorded Extended Event can show that this has happened. This is a debug event within Extended Events, so some caution is necessary in its use. Microsoft can change the debug events without warning. You can use […] Read more

Database Drift – Monitoring Unauthorized Object Changes

5,271 0
This metric identifies when an object has been changed by other than the authorized login. It relies on an Extended Events session to capture the metrics and filters for a specific login. This is a tweak to this custom metric. Here is the necessary Extended Events Session (substitute the appropriate login for the ‘LoginName’ string. […] Read more

Detect MrbMiner Malware

3,331 0
This metric looks for the presence of the MrbMiner malware by checking for an account in sys.sql_logins. Additional information: https://www.zdnet.com/article/new-mrbminer-malware-has-infected-thousands-of-mssql-databases/ Read more

Monitor Database Events

This metric queries data from an Extended Events session to detect databases being dropped, created, started, stopped, attached or detached. It assigns a configurable “anxiety index” value (an integer from 1-10) to each detected event and then calculates a total based on the occurrences of these events over a period. First, create and start for […] Read more

Monitoring Changes in Permissions, Users, Roles and Logins

7,368 0
Reports the number of changes to logins, users, roles in the past 10 minutes. It measures every change but doesn’t tell you if this is a drift from what it should be, since it might only be a permission being temporarily created and then revoked. First, create the following function in the database on the […] Read more

Detect Suspicious Errors Typical of a SQL Injection Attack

8,082 0
Detects errors characteristic of a possible SQL Injection attack, or other attempts to gain illicit access to a database server. Returns the number of errors detected in the last 20 minutes. First, create an Extended Events session on the monitored SQL Server instance: [crayon-67334f348226b464471795/] Start the event session, like this: [crayon-67334f3482272193592154/] Read more