Can DCS forward events to third party SIEM applications like: Splunk, SSIM or ArcSight?
There is a Security Information and Event Management (SIEM) solution running in the environment and the need arises to forward DCS events to that solution for further processing.
The integration of DCS and 3rd party SIEM solutions is based on a read-only access to DCS database (SCSPDB).
For this purpose, we create a user during installation (scsp_guest, this is optional), or customer can create it themselves.
This way, events can be pulled from the database and sent to SIEM tools like Splunk or SSIM. There is no native event forwarding functionality within DCS.
Within SCSPDB, the table of interest is CSPEVENT, which holds all the event data and can be queried for events of interest.
The SQL DBA need to provide to the Third party tool a readonly user to access the DCS database (default name SCSPDB).
The queries run from the Third party tool should be executed with nolock condition (WITH (NOLOCK) clause in the select statement)
The name of the database views to access event information are as follows
NOTE: Pick either option 1 or option 2, do not use both or you will get duplicated details:
To pull All Events : CSPEVENT_VW
NOTE: If pulling all events from CSPEVENT_VW, do not add the specific ones listed in option 2
Only Detection Events: detection_vw
Only Prevention Events: prevention_vw
Only Management Events: management_vw