search cancel

DCS integration with SIEM solutions like Splunk, SSIM or ArcSight

book

Article ID: 175333

calendar_today

Updated On:

Products

Data Center Security Server Data Center Security Server Advanced

Issue/Introduction

Can DCS forward events to third party SIEM applications like: Splunk, SSIM or ArcSight?

Cause

There is a Security Information and Event Management (SIEM) solution running in the environment and the need arises to forward DCS events to that solution for further processing.

Resolution

The integration of DCS and 3rd party SIEM solutions is based on a read-only access to DCS database (SCSPDB).

For this purpose, we create a user during installation (scsp_guest, this is optional), or customer can create it themselves.

This way, events can be pulled from the database and sent to SIEM tools like Splunk or SSIM. There is no native event forwarding functionality within DCS.

Within SCSPDB, the table of interest is CSPEVENT, which holds all the event data and can be queried for events of interest.

 

The SQL DBA need to provide to the Third party tool a readonly user to access the DCS database (default name SCSPDB).

The queries run from the Third party tool should be executed with nolock condition  (WITH (NOLOCK) clause in the select statement)

The name of the database views to access event information are:

 All Events : CSPEVENT_VW

Only Detection Events: detection_vw

Only Prevention Events: prevention_vw

Only Management Events: management_vw