Hello, we are trying to decrypt login packets for mssql servers running 2008 R2. We have followed the instructions about creating/exporting/importing the key from the server to the SIEM to the letter. However, the username is showing up as N/A. The server is set to only encrypt login packets, not the entire connection. We've tried importing the file to the data source as well as copying and pasting the text of the key(so that there was no white space or comments). But we are still unable to see the sql logins (Active Directory logins are visible). We are running 9.3.2 of the SIEM and are receiving the sql information via a span port. Any suggestions would be appreciated.
Copy the MSSQL Successful Logins rule and get rid of all the conditionals except the Regex for "^Login". They will then show up.