Can DCS forward events to third-party SIEM applications like Splunk, QRadar, ArcSight and Google Chronicle?
There is a Security Information and Event Management (SIEM) solution running in the environment and the need arises to forward DCS events to that solution for further processing
There is no native event forwarding functionality built within DCS, however, events can be collected using a SIEM solution
The integration of DCS and 3rd party SIEM solutions is based on a read-only access to DCS database (SCSPDB)
During the installation of the DCS manager, the user has the option to create a guest user account for the database, the default is scsp_guest. This account can be changed to a custom user name if required
Once this is configured, events can be pulled from the database and sent to SIEM tools like Splunk or SSIM
Within SCSPDB database, the table of interest is CSPEVENT, which holds all the event data and can be queried for events of interest
The SQL DBA needs to provide to the Third party SIEM tool, a readonly user to access the DCS database (default name SCSPDB)
You can use a local user or Active Directory user, as configured in SQL, to pull these events
The queries that run from the Third party tool should be executed with nolock condition (WITH (NOLOCK) clause in the select statement) to prevent database deadlocks and other functionality issues
The name of the database views to access event information are as follows:
NOTE: Pick either option 1 or option 2, do not use both or you will get duplicated details
Option 1-
To pull All Events : CSPEVENT_VW
NOTE: If pulling all events from CSPEVENT_VW, do not add the specific ones listed in option 2
Option 2-
Only Detection Events: detection_vw
Only Prevention Events: prevention_vw
Only Management Events: management_vw