Creating a database view

Microsoft EndPoint Protection uses SQL Server Management Studio (SSMS) to manage the EndPoint Protection SQL databases.

Procedure

  1. Log in to the system that hosts your Microsoft EndPoint Protection SQL database.
  2. From the Start menu, select Run.
  3. Type the following command:

    ssms

  4. Click OK.
  5. Log in to your Microsoft Endpoint Protection database.
  6. From the Object Explorer, select Databases.
  7. Select your database and click Views.
  8. From the navigation menu, click New Query.
  9. In the Query pane, type the following Transact-SQL statement to create the database view:
    create view dbo.MalwareView as select n.Type , n.RowID , n.Name , n.Description , n.Timestamp , n.SchemaVersion , n.ObserverHost , n.ObserverUser , n.ObserverProductName , n.ObserverProductversion , n.ObserverProtectionType , n.ObserverProtectionVersion , n.ObserverProtectionSignatureVersion , n.ObserverDetection , n.ObserverDetectionTime , n.ActorHost , n.ActorUser , n.ActorProcess , n.ActorResource , n.ActionType , n.TargetHost , n.TargetUser , n.TargetProcess , n.TargetResource , n.ClassificationID , n.ClassificationType , n.ClassificationSeverity , n.ClassificationCategory , n.RemediationType , n.RemediationResult , n.RemediationErrorCode , n.RemediationPendingAction , n.IsActiveMalware , i.IP_Addresses0 as 'SrcAddress' 
    from v_AM_NormalizedDetectionHistory n, System_IP_Address_ARR i, v_RA_System_ResourceNames s, Network_DATA d where n.ObserverHost = s.Resource_Names0 and s.ResourceID = d.MachineID and d.IPEnabled00 = 1 and d.MachineID = i.ItemKey and i.IP_Addresses0 like '%.%.%.%';
  10. From the Query pane, right-click and select Execute.

    If the view is created, the following message is displayed in the results pane:

    Command(s) completed successfully.

What to do next

You are now ready to configure a log source in IBM QRadar.