DCS event forwarding using SIEM solutions like Splunk, QRadar, ArcSight, Google Chronicle or other SIEM
search cancel

DCS event forwarding using SIEM solutions like Splunk, QRadar, ArcSight, Google Chronicle or other SIEM

book

Article ID: 175333

calendar_today

Updated On:

Products

Data Center Security Server Data Center Security Server Advanced Critical System Protection

Issue/Introduction

Can DCS forward events to third-party SIEM applications like Splunk, QRadar, ArcSight and Google Chronicle?

Cause

There is a Security Information and Event Management (SIEM) solution running in the environment and the need arises to forward DCS events to that solution for further processing

Resolution

There is no native event forwarding functionality built within DCS, however, events can be collected using a SIEM solution

The integration of DCS and 3rd party SIEM solutions is based on a read-only access to DCS database (SCSPDB)

During the installation of the DCS manager, the user has the option to create a guest user account for the database, the default is scsp_guest. This account can be changed to a custom user name if required 

Once this is configured, events can be pulled from the database and sent to SIEM tools like Splunk or SSIM

Within SCSPDB database, the table of interest is CSPEVENT, which holds all the event data and can be queried for events of interest

The SQL DBA needs to provide to the Third party SIEM tool, a readonly user to access the DCS database (default name SCSPDB)

You can use a local user or Active Directory user, as configured in SQL, to pull these events

The queries that run from the Third party tool should be executed with nolock condition  (WITH (NOLOCK) clause in the select statement) to prevent database deadlocks and other functionality issues

The name of the database views to access event information are as follows: 
NOTE: Pick either option 1 or option 2, do not use both or you will get duplicated details

Option 1-

To pull All Events : CSPEVENT_VW

NOTE: If pulling all events from CSPEVENT_VW, do not add the specific ones listed in option 2

Option 2-

Only Detection Events: detection_vw

Only Prevention Events: prevention_vw

Only Management Events: management_vw