I assume that you described that built-in account is used by DBA's.
The first question is - why do DBA's use this account? The good DB security policy requirement stress the use of named accounts.
It will be hard to identify what is generated by DB engine itself from other activity. Even you will able do that, still skilled DBA can try to hide from being tracked by generating something similar to standard DB engine activity.
If DBA's have to use built-in account I suggest focus on access vector. The UID chain (on Linux, Unix) will provide information about the full process chain. The DB engine activity will refer to mysql binary and DBA's sessions will come mostly from ssh process. However UID cannot be used in real time monitoring.
You can also consider the non-user related session identification using rule based on number of sql's generated in the defined time. For example - if session generates more than 1000 sql's per second in the first minute the session should be considered as a application one.
------------------------------
Zbigniew Szmigiero
IBM
Warsaw
------------------------------
Original Message:
Sent: Thu October 17, 2019 09:28 AM
From: Herman Engström
Subject: Select Command - MSSQL
Hi,
I want to log SELECT commands performed by DBAs on a MSSQL server. However, when using the (Public) Select Command rule it also include SQL commands generated by the MSSQL server and I am only interested of the DBA input.
If I use the same Select command rule on MySql it only logs the DBA input and nothing else.
I have used Action: Ignore S-TAP Session and it had some effect on the machine generated logs but if I do a INSERT it generates a lot of logs since the INSERT command uses SELECT commands to perform the INSERT.
Do you have any suggestion how to solve this issue or point me in the right direction?