MS SQL Super Quality Logs

NS SQL super commonly knobs taking the children [Applause] all right thanks everyone for jumping into this one um to set the record straight on the title the logs are actually pretty good they do have a lot of detail in them um but as we're going through the presentation the the super quality and the problems come about in just the whole uh deploying and getting the logging working across MSC into putting this into presentation yesterday at work um on Tristan I work at seamless intelligence and you can make your files up these days so I just log Enthusiast we spend a lot of times involved getting logs into monitoring building detections out of logging and anything else to do

the Vlogs the bottom GitHub repo there contains a heap of artifacts from the presentation today so there's detections uh there's some metadata related to those the SQL queries that we'll run through are all in there as well so if you ever really wouldn't want to turn logging on in SQL database it should all be there um so while we're talking about SQL logging in 2023 we went down a massive Rabbit Hole how that started here with a hack the box box um called escape and the initial access into this box was to use a stored procedure in MSC board which is called dirt tree it's pretty dangerous one it's been on Microsoft's hit lists for a

while now to change the default configuration in directory to stop it being executable by any user which it is by default as you can see here I'm running a map on this box MSC was open we dug into that hole we're able to execute this storage procedure called dirt tree which basically reaches out and will list the directory structure of a share in this case we point it back to to our box running responder and beautifully it tries to authenticate to us when we get the ntlm hash for the account running the SQL service how would Julie to be in this case it's a user account there SQL underscore service or it'll be the system account

the problem with all of this came when we we like to grab the hack the box boxes and where we can turn them into something in our research environment to play with we will do that and so we began to execute dirty with all of the default logging turned on Mss build to see what we could detect based on that now if an attacker jumps onto a Windows box um does whatever they're going to do on a Windows box then it's relatively simple to detect a lot of Technics uh tactics and techniques there off the OS itself the big reason for this is the amount of information out there we have that's the acsc log event forwarding guide it has a

heap of good configuration about what you need to do in group policy to get the logging Set uh how then forward that using Windows Event for women and that's OS logs and we can generate a heap in Windows natively we can look to install something like sysmon which is free and owned by Microsoft now to up that logging as well there's really only one overlap between native Windows logs and syscon and that's the process creation logs everything else in syscon is unique to sysmon and generally can't be generated on the Osa to believe we get something like device logs from Defender so almost all organizations are going to have a level of EDR in a box so

we're not needing to add more products to monitor the operating system device logs coming off the fender are very similar if not the same as this monologues and then you'll have your other EDR products so you have a crowd Striker on there which we can get raw logs as well as alerts off that box so on the OS itself we have so many options and it's pretty well documented how to turn all of this logging on an attacker jumps into Ms Sequel and stays mostly within the database our opportunities to detect them are far far fewer as you can see there and this is us jumping in and running some commands we get a few the detail is not all that

important but you can see from the color on the risk on these alarm cards on the right hand side there they're pretty low level so we're getting things coming out of Ms SQL but we may not fully understand what an attacker is doing within SQL when we started to look at the configuration and how to address this we ran into a big problem in that trying to find the same advice for Ms SQL that we have out there for Windows security just led us to products so all of those links there we went to them each one of them they may have some technical detail But ultimately if you try and look into it any further than superficially they're

trying to sell a product uh all of them we thought attacking Microsoft SQL Server databases would be a good article to start but I think that's net rights no that's stealth bits but they sell a product for you as well so there's not that community and that um open source configuration documentation all the good things that we have for daily Windows security logs it doesn't exist where it exists what we found is it's mostly related to auditing and unfortunately those audit configs while they serve a purpose they don't actually help us detect attackers really well I even went and asked chat GPT and being whatever it's called how do I detect attackers in MSC can tell me then I

don't have to do much work um chat gbt spews out and it always does is a heap of text it's it's not very good it's wrong Bing went off a path in extended events and auditing and that sort of stuff and this is what we've found generally when we're trying to research this um I've just highlighted the books um and I see this a lot in advice for monitoring just detect unusual patterns of access I knew what they were it'd be easy look for suspicious it's a suspicious pattern look for unexpected unauthorized connection so the advice is always quite high level and and technically I can't turn that into anything useful really if I could I wouldn't have a job so first

issue big issue that we ran into second big issue we spent a spun an fccm box up um thinking there might be a chance Microsoft product built-in SQL database all that sort of good stuff that there would be some default logging uh there isn't um so the three bits we need we need a security audit uh which we'll go through in a sec we need database orders to tell the database what two logs to send us and then we need a server order and none of those are present in any of the people in stores that we score you do get a cool tick box here for login auditing which will uh log found successful login attempts and that's

about it not that useful by itself what authentication is generally not quite a lot of context we don't know what a user is doing or how an account is doing can be useful with all the other logging but by itself this being the only option to easily get at it's not so what we had to do was build everything from scratch basically we couldn't detect anything that we did in the msql database with built-in logs so we built a set of configuration which is in the GitHub repository and that's two SQL scripts which going through and turn on all the logging go through in a sec here we'll talk implementation which helped us track where we were with both

testing tools testing the detections and which piece of logging was responsible for that detection firing and as we go through the documentation we it took us hours and hours and hours to do this and I'll show you why as we go through the demo no two things are the same in SQL and in Windows if we want to do something like steel a scientific or abuse and typical Authority servers get a certificate and authenticate that to The Domain to get a Kerberos ticket it's kind of one way to do it you're going to generate something on the domain controller that we can detect with MSC all what we found going through this because you can do it you

can do it four five six different ways and achieve the same goal which when we're trying to detect that as we'll go through in the demo it's really difficult because I can't just do one test be happy that that's captured the the detection and I don't have to worry about it anymore it doesn't work like that unfortunately we built out all the detections and we'll go through some of those and then we build an attack tried to build an attack demo to show the before and afters for this favorite configuration the server audit needs to be turned on so there's the three three bits we need this is the first one and what this will

do is just tell the SQL Server where the log belongs uh in this case we've added them down into the application log we've set a name and then we've turned it on in this SQL the big advantage of doing it in the script is well there's a number of advantages we get consistency we're not going to make typos we're not going to miss things which you'll see in the GUI would be really easy to do and this turns logging on if we do it through the GUI we actually need to go and restart the single services for those configuration changes to make to come into effect so this just turns logging on so now if

a log is generated it will go into the application logs locally then we can use Windows Event forwarding or whatever other mechanism we've got set up to forward that where we need to this is the GUI version of the same piece of SQL we will take a few buttons we'd say okay and then we'd have to restart the services and this is how we started doing all of this config including this stuff this is where some of the title for the slide was this is painful um this is the SQL statements to turn on the login for each of these items that we want so we can see the top one there is the XP CMD shell store procedure and

that would allow us to execute commands as the account running the SQL server on the operating system so we want to audit that one what I would have loved to have been able to do is use like Star characters and contains and say hey if anyone executes a stored procedure of any name let me know I can't do that we need to do them line by line so I need to say if there's an execution of this store procedure let me know if there's an execution of this door procedure let me know and so forth and there's 160 lines of queries or configuration that we weren't turned on if we go back to our testing we then

test the tool and we say okay I'm going to run XP command shell to do a cool Buy on a system okay yep that all worked but there can be other ways to get code to execute as as we'll show later we have to then test that oh our detections didn't fire and I've got no logs what is the store procedure I need to order now so all of this at the end of the day we really believe this is the bare minimum we're not going to catch absolutely everything but there's a good chance to catch a number of techniques and tool sets being used with configuration that we have we also then got into a position where

we were able to execute as the as public basically uh in in that role and as you can see here these are auditing for the dbo um role and privilege or whatever it is in SQL so we had to double these and then do them for different privileges so this set of configuration is there three times with the only change being the end privilege group or whoever can access or execute those stored procedures that's the full text it was just it's it is what it is it's what we do to get the detail that we need but it is very frustrating when you spend all this time run a whole new tool and get no

detections and we're in that position where we had to go back to the drawing board to add more and more monitoring here it is in the GUI don't do it in the GUI it's where we started we started and spent too much time here there's a couple of reasons why not firstly you will get RSI you've got to drop down select object assist then you've got to search for the storm procedure or whatever you want to Monitor and not all those good procedures are there whereas when we add them in the sequel because we found a reference to them in a tool and we want to order them it accepts it and we can audit those sort of

procedures but if we just went by what was available in the search GUI we wouldn't get all the store procedures no idea why that is but yeah um then we have the server for Border space these we can think of think of the other ones as inside each of the databases we want to know about what's going on and we have uh we may have a SQL server with 10 databases we need to apply that config tuned into those databases within that database server this one we can apply just to the server as a whole and it's mostly used for group changes configuration changes impersonations things that happen at a more server-wide level the big problem with this for us is I

don't actually know if I need all of those a store procedure is easy if I execute XP command shell and I get something that outputs a command to the system I can see all that that's relatively easy if I go and change some groups and don't get unlocked I'm pretty impatient so what I did was I said get me everything that's in group change and I added that to the SQL auditing then when I tested I got the detection or the logs that I was expecting but the problem with the way I work is now I don't know which line was responsible for that while being available it would be a problem if it was very high volume

so if we were generating thousands of events a second out of this auditing I'd actually have to go and do it properly fortunately for this it's very lowballed so we can we can add all of these in without too much impact to the database the big hitters that we've had is around some of the internal systems working in our database and they've all been related to database configuration not this server-side audit specification and that's why there's not as many comments on the right hand side there because I don't know which uh piece of config worked unfortunately gooey don't do it this is the easiest one to do in the GUI you can just drop it here you can just drop it and that's

all you need to do because it's server-wise this is what it looks like beautifully when you run the SQL you get commands completed successfully and our logs are being being put down into the application log now depending on the area you get you should be able to work out which line there's only one line difference in the two SQL scripts in the GitHub repository there's a SQL script for pre-2017 and one for everything else from what we've tested and there's a single store procedure that's not available okay so now when we go back in we've got the three pieces of auditing across our database highlighted there and we can go in and check those we if we need to make

minor modifications we can do it in the GUI rather than re-running all the SQL but for us we maintain that source of Truth is our SQL scripts to do this the documentation we we did this to save ourselves a Hebrew drama um what we did here was we tried to phase it out in a category mapping to miter attack and that just lets us flow through in a relative attack chain we put the tool in there because this is provided as well so if you ever want to go and spin up the tools the tests that they're directly related and should be able to copy and paste then we added in which part of the monitoring is

responsible for the detection and the tool that we're running the reason we did this is if a piece of configuration did resolve in thousands of logs a second that weren't useful we'd be able to say we can turn this piece of configuration off we're going to lose this ability to detect these items makes it makes the conversation a lot easier than okay just take it out and we'll we'll hope it all work still we can directly map all of these minus some of the privilege changes but from what we've seen the privilege change one time so for any individual item this one's related to the directory command you'll get the tool we use which is SQL shell

or squish or however you want to say it the command so we're executing and we're asking it to then go and get this remote directory and return the results there it's a master database order item and you'll have the event that goes into the application board there which is the 33205 they're all 33205s and then we just put a hopefully human readable sort of um description around where this might occur in the attack chain because too often when I'm writing descriptions I literally write a technical description of what's going on and it doesn't really help our analysts or anyone understands why we're trying to detect it so this one basically we're going to try and detect someone leaking

the ntlm hash through this particular technique as the account running receivable service which can be quite a privilege to Camp within the domain other pieces of documentation uh these are all Json files these are all in the GitHub repository this is a metadata document we produce all of our detections it has things like whether it would be eligible for an encore so high high confidence and high priority it'll have links to the tools and any of the references that we have has a larger description has where it fits in the attack Matrix to math there has where it fits within CSC we started doing that and then they all match for the same thing there's monitoring and Analysis

the order logs is mostly what we're doing here and then it will have your log sources so we need Windows application logs and then we need a specific event ID of 33205 which is in there yeah 32.5 and so with Json then it's really easy for us to put it into other formats and analyze and look at our detections and what logs we need to get X Y and Z outcomes the testing document these are quite easy this this one is SQL Recon which is we'll go through that in a sec but this one will go and download this dll you can compile the dll you can use that one if you want it won't go anywhere

um but it's basically an Empire Beacon back into our research environment um so if you do want to then modify that because a lot of the time what I find testing the tools and there's an example later on is half the battles getting the syntax right so SQL shell does it a certain way Metasploit wants certain information SQL Recon needs double quotes or symbol quotes and then it takes time and sometimes you will have a tool that simply will not work with the command you're trying to run this is an example of that move it later all right into the good stuff the reason we actually do all this is to get detections we start with tools as well

so this one is SQL shell it's really easy it's just a command line interface that you can connect to a Ms SQL server and we combined that then with an article like this from hack tricks yep hat tricks which has a heap of raw SQL that will achieve similar outcomes to the tooling that's available like the SQL Recons about those sorts of things the reason we start with this is to gain a greater understanding of what's Happening under the hood so if I can go and execute commands using raw SQL it gives me a much better understanding of what's going on versus just running a tool where I say hey run this command I don't really know what's going on

because at the end of the day to understand and get to the logs we need to know what the tool is doing so we almost always start with trying to do it manually and get an understanding and then if that becomes too hard we'll just use the tools which does happen sometimes Metasploit pretty old now but really useful has a hey for built-in MSC all modules and this is a really good example where we went and crafted a heap of detections we spent hours on logging we ran the Metasploit enum for Ms SQL and it generated zero detections so I was like oh here we go so into the good thing though these are all open source so into

the source code what is Metasploit doing when it's enumerating and we get them all signal that's running it's like oh it's querying that table not that one it's doing it this way and so we can pull those out run those manually and get the order scripts or the login scripts getting what we need so best book's still really good uh CME is really good it's got a heap of built-in Ms SQL stuff to enumerate group Force users and get a command execution onto a box SPL Recon I think SQL recon's written in C sharp C sharp or something like that um run that on the Windows side of things so now we're able to test both on

Linux land with sequel shell and CME and then running it on Windows box with SQL Recon and power up SQL and power-up SQL is built in Powershell so now we've got a really good spread of tools that have heap of functionality built in we've got ways to do things manually tools built in SQL tools built in C sharp all that sort of stuff and it can sometimes make a difference what language the tool is built in surprisingly this is a surprise to me over the last few months in that belongs will look different and that's painful for us trying to craft detections based on logs that should look a certain way and when we try a different tool and do the same

thing it looks completely different so we put our detections into three categories and then a Dumping Ground for others and the big one that we started with was stored procedure use and this is where we can get a lot of the execution type detections we can use those to gain a system privilege to then execute into the OS to then go on from there secondly our SQL queries there's lots of juice information in databases and so we can monitor for actual queries uh one of the really nice things about the logs is it does not return the results of the query we hoped it didn't and it doesn't and that would be an issue so if you uh execute a query

against something that would be considered sensitive data it'll just tell you what query is run not the results which is good and then authentication authentication ties it all together and it's probably the last thing that we use in our detections apart from the improve Force engineering enumeration but in an in and of itself there's not there's not a lot of context unless it's a user such as a receptionist logging in um but but then that poses technical challenges sometimes to correlate that in one item and we have privileged changes config changes other things we can do to a database that might have one or two detection that's not worth their own category all right here we go so live demo I cop

lots lots of flack for this just do a video all right so what we will do it's the default password don't judge them so we'll we'll start with just a couple of uh attacks into an MS SQL database so we're going to log on so this is our SQL shell so we're now we've cheated a bit we've got to use it we're not going to do the initial access stuff but we're going to stay in the database so that we're not going to break out and um there's my notes because I can't type but we're not going to break out into the operating system yet because that would then bring in normal logs so I

will start by stealing the ntlm hash of the account running the SQL service so we'll do that and then in this pre-prepared tab we will fire up responder let's get a couple of requests inside what's working okay here we go so here's responder if anyone who has the same responder it just sits on the network and is has been used to abuse local authentication and that sort of stuff this is really interesting when we started using it for anyone with Defender ATP it's I don't know if this is documented all those names aren't on my network that's Defender putting them out locally on the wire and if it gets a response you'll get an alert back into security through

ATP responders on the network really cool functionality that we actually didn't know existed so none of those are on the network what we'll do now is go back to our tab by tab that's for later here we go so it's as simple as execute dirt tree and then go back and list me out this directory so it's listed out the SMA share and of course there's nothing there because there's not really an assembly share there but what we should have is Lam hash for the service account so it's kind of pretty simple and the big danger as I mentioned before is that public is granted the execution right on that storm procedure to do that by

default so any database user connects computer access to a procedure you'll either get that one there if it's got a gold sign is the system account and if it's a user account as they call them service accounts they're just users with SVC underscore um you'll get that as well the advantage of getting a user account a service account is that may be used across other databases you'd hope not but could be but the machine account is still very useful if you're able to get the ntlm hash so if we just jump back into here we've got no detections related to SQL this one I was gonna I was going to turn it off but it's funny

um Carly changed the host name Charlie when Charlie authenticates the windows the Empire's past the hostname the amount of red teams we've caught because Carly is present as the host name is not zero and it kind of kind of should be just just change it um and that that I suppose that's the advantage of being on the logging side we see what the tools do and it's kind of funny to us we do like to see it our parrots the same if you authenticate the windows the operating system passes a heap of data you may be unaware of so we'll close that one out we'll pretend we change the hosting so that one's gone we don't get anything so we've got the

ntlm hash for a system I authenticated because I'd already done let's say I was really smart and got that user account and we've authenticated it in a runnerstorm procedure we get nothing so I'll do um let me go over time I'll do one more and we'll just steal our password hash for the essay account

so essay is built in and what will happen here is very quickly so we paste this in and go now SQL shell doesn't return it very nicely but luckily for me essays at the bottom there there's the SQL password hash from the sa account nice and easy to get that one look there's some privilege to run that particular query and we've treated and give ourselves admin rights in the database but we do that to progress the testing we're not smart enough to escalate all so once again we'll we'll have nothing but we jump into our database and execute our completed successfully excellent um blogging's here so if we go across to this data space database audit spec this

tool way way too long for me to figure out is we refresh it and we get it yeah cool oh this one here let's open that oh it has come in but the security policies has been you actually got to refresh each item to get the data to show and that took me way too long to figure out that's in there now we will very quickly run our SQL uh SI query go we've got it outside I'll run one more that we did run before um let's go let's just turn on XP command shell so I configure type

it's all so CMD commercial it doesn't work the beauty of some of these is even where the statement doesn't work it may still generate the look we need so not all the tests will result in a system change which is the way we want to sometimes now the logging has been turned on and we have uh an agent on that box but it would be the same with Windows Event forwarding and we go and run the same test again and and we've got stuff to do with the database now um it's that quick once we turn it on with the SQL monitoring it just goes live and comes through so that's I'll wrap the live demo up

there but you can see the speed in which we can get the logs in now now that we've got that SQL script to do what we need we can get the logs in so I won't go through all the detections because we these slides were in case my demo didn't work so I did I did have a slight backup plan the only one that I will go through is this one here of course [Music] commercial uh trust in something this is the cool one so this is another store procedure only available in 2017 and above and it'll allow us to get another way to execute commands took me you know way too long I didn't solve it

in the end but we can see here there is a difference between these two slides the big difference is in this demo that they give you can call a single file name we can pop everyone pops cow you can pop out because you're not going to pass any arguments when I tried to put all the arguments into the file name didn't work split out into info.arguments work to train and this is what happened time and time again with the testing the the intestine the template source code can be so wrong sometimes and it does take quite a while to understand the error adjust it and get to where we need to be now what this one would have done in the

background is yep told you it's attacking you'll go and download this dll it will then add the hash and this is what we can detect we can't actually detect this running it adds a hash to The Trusted assembly so the SQL will run it then it goes through all of this calls it as a custom stored procedure and we would get an Empire Beacon back to uh to unbox there's the uh the same slide in case the demo didn't work but I think I'm on running out of time anyway and we would get our system agent back or we can get the beacon running as the sequel Armstrongs count detections for all of these they are in

the slides you will laugh at their Simplicity there's no need to overcook these we grew by some users there we set the ID in Windows to narrow the amount of alerts sorry of events the alerts are going to look at and this one is simply a reject saying if this statement contains trusted assembly.star which is anything HTTP that is a detection for a stored procedure grabbing a dealer from the Internet it's really sometimes as simple as that there were many struggles through this the exactness of logging we've been through that in the configuration you need to know everything you want to log ahead of time and that's not always possible even with testing tools which

is the second part the testing breadth is massive we have only five tools up there because they're open source but there's more each of the Frameworks has built-in modules for SQL that we haven't tested yet you're then in a position where testing nothing happens go back to the configuration retest retest retest flow structure which is that's breadth and testing load structure this is probably the worst regex ever 22 000 steps 22 000 on trash or educates but but it got the bits I wanted um so then my colleague fixed it um and we're we're still in the couple of thousand steps for these because what SQL does is it's it's XML technically that's correct but it just dumps all of

this data into the data tags unstructured it is in relatively the same Order each time but all we want is the statement the user and a few other bits and pieces and for rejects to do this yeah it's expensive ingredients it has been slightly fixed yeah and all that is in one XML tag so it's difficult to get to the bits that we want and then deployment deployment is is difficult uh it's not the end of the world I'm sure all the dbas can go and automate all of this but it does need to be done on every single database there's no easy way just to group policy this up I don't know of anyway so there is a

there is a manual change if we then need to add stuff in six months because we've found new store procedures we may be just it may be easy just to rip the config out put the whole new token back in so next up for us on all of this is custom application monitoring is going to be difficult but with the queries and the executions we're going to be able to begin to look at that and surprise to me there's an application into OT that we had never even thought of until we read this mandate report which was related to cosmic energy um it stood out to us there's windows boxes in all of these and Ms SQL is abused to

get a command to run against a a unit a control unit the advice is to look for the enablement on of extended store procedures but unfortunately and I understand why it does not go into what we need to look for so simply turning the store procedure on is relatively easy to detect what you then do with the store procedure is really really important and we haven't been able to do it the artifacts as of as I've said there is a GitHub repository which will contain um the source code for the dll if you want to run SQL Recon to get a shell or you're choosing it'll have Json for the metadata testing detections and then the

overall spreadsheet just with the summary of all the detections and configuration related to those I was only allowed to do one transition like that um any questions on any of that oh yeah so obviously very complicated to sort of go through that whole process in terms of like we've got the problem we're trying to solve this problem how do we go for it can you is there some kind of defined methodology or process that you're using in terms of like going through this I have this problem set how do I get to this Android Lucid Mary Lucy and Nicole and the reason for it is it's always different so we take something like certificate abuse which is 18 months old now and it

once again comes down to our basic process is let them use it and then we need to be able to detect that abuse that's the process it's unfortunate that every time the abuse is different and so is the the end goal so there's no no form process we we know what we want to achieve and it's working our way back from oh no detections all the way back to the tool and then back forwarding yeah I'd love that if there was a process oh yeah it sort of it implies that it's a very specialized and high level skill if you need some sort of have those people who know what they're looking for yeah I'd say it's an issues his skills

um but yeah it's it has to be done because the problem with these tools that the office of the tools they're they're brilliant they're way smarter than me I'm just going to use them and then work my way back takers don't care if you don't have time to get your login right and your detections right so it's probably a skill set that it evolves over time as well in a sock um but yeah a lot of it is interest as well getting it from hack the box that's where there was already some research but then the rabbit hole was Let's uh let's mimic this hacker box yes any others oh yeah if someone wants to give them their

thoughts it's much more risk to Performance or operations you know different setup and why too much no just do it no no no we've deployed we've deployed out so our advice to the authors we're working obviously pick your test box do that through all of the testing no no impact to the database it's not a high volume logging set but if I was to give you a massive system on coffee and go and put that on your domain controllers yeah we might generate hundreds a second to do stuff in generate this General this tops out in a longer second for a box yes

that's in a risk reward conversation is the risk of that data going into an application you can point it at security so in only local admins can read it is the risk of that data in table names and in the query high enough for it not to be used in detections and it changes from all to org some wolves will be yeah that's fine the actual table structure we can we can have some of that sensitive data in our logs the benefit of the detections outweighs the risk of that data being in the same platform and on both the Box yeah difficult though because we don't know necessarily ahead of time what query might generate sensitive data yeah

yeah you're saying that the obviously is not very well locked at the moment and a lot of people are aware of this in your investigations because this isn't going to be booked out at all are you seeing much pressure on the production to make protection information or just they don't care because I I think there has been enough detect if you had good detections on the OS you could get by because at some point if I executed that dll I'll get OS level detections and so people were kind of well we got them we're not sure exactly how they did it but we got them and it's good enough and honestly there's easier ways if a ransomware game gets into

environment you're probably not going to hit SQL they're going to abuse certs they're going to abuse Kerberos and those sorts of things are still so easy to abuse that this is a bit more Niche but the problem for us is it doesn't matter because what are they going to do tomorrow and that's why we have to put this in where that we're going to get detections today or not but I think in the past enough's been good enough and getting OS level detections or once they break out your EDR gets them not understanding how they abuse SQL hasn't been high on the priorities for orgs well I'm pretty sharing the technology uh yeah yep do we share the slides after

this as well that's up to you oh yeah oh it's right at the start yeah I'll go back please hold please hold on

yep that bottom one there so yeah there'll be an MS SQL monitoring um really holding that

yeah

just this one to start with just because of it's used everywhere SCCM has it um yeah it it's very out there some of the next stages are other ones yeah but none of this applies to in postgres or any other database type at all Oracle yeah very specific another question

or to log into SQL no no does it have safety modules

yeah and that that's in the other slide where we looked at products we avoided looking for another product to deploy which is why we didn't look at snare we wanted yeah we just wanted to say how do we get this natively or as natively as we can in in the database here yep because you've also got the Azure products for Sable admin fazoola we didn't look at those for this this is this was how to create holes again so

cool thanks Justin thank you [Applause]

um

foreign

[Music]

[Music] thank you