Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 8037 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos & QRadar - Initial config (table named 'vEventsCommonData' does not exist)

mmcmillan

We are new customers to Sophos Endpoint. I'm trying to help our Infosec people set up QRadar to query the SQL server for Sophos logging. However, the IBM documentation for the setup is out-of-date and Sophos provides no support for the QRadar setup, from what I can tell.

I have found that there is no more Reporting Interface installation - the tables it used to install are already included with the Sophos521 database. However, QRadar wants to query a table named 'vEventsCommonData' which doesn't exist. There is, however, a VIEW named that, but QRadar throws this error message:

Protocol Provider Thread: class
com.q1labs.semsources.sources.jdbc.JdbcEventConnector111] java.sql.SQLException:
Invalid object name 'vEventsCommonData'.

QRadar is set up to use my SophosSQL account, which has the dbcreator permission that Sophos says it needs. Is it possible that this account needs some other permissions? Or maybe QRadar needs a special config to query the VIEW instead of the TABLE?

Searching for info on Sophos & QRadar yields next-to-nothing, so I hope someone here knows how to configure it.

Thanks!

:44305


This thread was automatically locked due to age.
Parents
  • 0

    Oh interesting. I don't know what version of QRadar we're using, but we got it working. An InfoSec admin had us create a custom view with this script:

    CREATE VIEW threats_view AS SELECT t.ThreatInstanceID, t.ThreatType, t.FirstDetectedAt, c.Name, c.LastLoggedOnUser, c.IPAddress, c.DomainName, c.OperatingSystem, c.ServicePack, t.ThreatSubType, t.Priority, t.ThreatLocalID, t.ThreatLocalIDSource, t.ThreatName, t.FullFilePathCheckSum, t.FullFilePath, t.FileNameOffset, t.FileVersion, t.CheckSum, t.ActionSubmittedAt, t.DealtWithAt, t.CleanUpable, t.IsFragment, t.IsRebootRequired, t.Outstanding, t.Status, InsertedAt FROM <Database Name>.dbo.ThreatInstancesAll t, <Database Name>.dbo.Computers c WHERE t.ComputerID = c.ID;

    Changing <Database Name> to the database name, naturally.

    After we did that and granted rights to the new DB, QRadar began working. Not sure why it couldn't use the built-in view meant for QRadar, but whatever.

    Thanks for the reply. I'll mark this as answered.

    :44573
Reply
  • 0

    Oh interesting. I don't know what version of QRadar we're using, but we got it working. An InfoSec admin had us create a custom view with this script:

    CREATE VIEW threats_view AS SELECT t.ThreatInstanceID, t.ThreatType, t.FirstDetectedAt, c.Name, c.LastLoggedOnUser, c.IPAddress, c.DomainName, c.OperatingSystem, c.ServicePack, t.ThreatSubType, t.Priority, t.ThreatLocalID, t.ThreatLocalIDSource, t.ThreatName, t.FullFilePathCheckSum, t.FullFilePath, t.FileNameOffset, t.FileVersion, t.CheckSum, t.ActionSubmittedAt, t.DealtWithAt, t.CleanUpable, t.IsFragment, t.IsRebootRequired, t.Outstanding, t.Status, InsertedAt FROM <Database Name>.dbo.ThreatInstancesAll t, <Database Name>.dbo.Computers c WHERE t.ComputerID = c.ID;

    Changing <Database Name> to the database name, naturally.

    After we did that and granted rights to the new DB, QRadar began working. Not sure why it couldn't use the built-in view meant for QRadar, but whatever.

    Thanks for the reply. I'll mark this as answered.

    :44573
Children
No Data