Configuring the database view for Sophos Enterprise Console

To collect events in IBM QRadar, you need to configure a database view on your Sophos Enterprise Console device.

Procedure

  1. Log in to your Sophos Enterprise Console device command-line interface (CLI).
  2. Type the following command to create a custom view in your Sophos database to support QRadar:
    CREATE VIEW threats_view AS SELECT t.ThreatInstanceID, t.ThreatType, t.FirstDetectedAt, c.Name, c.LastLoggedOnUser, c.IPAddress, c.DomainName, c.OperatingSystem, c.ServicePack, t.ThreatSubType, t.Priority, t.ThreatLocalID, t.ThreatLocalIDSource, t.ThreatName, t.FullFilePathCheckSum, t.FullFilePath, t.FileNameOffset, t.FileVersion, t.CheckSum, t.ActionSubmittedAt, t.DealtWithAt, t.CleanUpable, t.IsFragment, t.IsRebootRequired, t.Outstanding, t.Status, InsertedAt FROM <Database Name>.dbo.ThreatInstancesAll t, <Database Name>.dbo.Computers c WHERE t.ComputerID = c.ID;

    Where <DatabaseName> is the name of the Sophos database.

    Important: The database name must not contain any spaces.

What to do next

After you create your custom view, you must configure QRadar to receive event information that uses the JDBC protocol or the Sophos Enterprise Console JDBC protocol.