Creating a database view for Microsoft SharePoint
Microsoft SharePoint uses SQL Server Management Studio (SSMS) to manage the SharePoint SQL databases. To collect audit event data, you must create a database view on your Microsoft SharePoint server that is accessible to IBM® QRadar®.
Before you begin
Do not use a period (.) in the name of your view, or in any of the table names. If you use a period in your view or table name, JDBC cannot access the data within the view and access is denied. Anything after a (.) is treated as a child object.
- Log in to the system that hosts your Microsoft SharePoint SQL database.
- From the Start menu, select Run.
Type the following command:
The Microsoft SQL Server 2008 displays the Connect to Server window.
- Log in to your Microsoft SharePoint database.
- Click Connect.
- From the Object Explorer for your SharePoint database, click .
- From the navigation menu, click New Query.
In the Query pane, type the following Transact-SQL statement to create the
AuditEvent database view:
create view dbo.AuditEvent as select a.siteID
,a.ItemId ,a.ItemType ,u.tp_Title as "User" ,a.MachineName ,a.MachineIp ,a.DocLocation ,a.LocationType ,a.Occurred as "EventTime" ,a.Event as "EventID" ,a.EventName ,a.EventSource ,a.SourceName ,a.EventData
from WSS_Content.dbo.AuditData a, WSS_Content.dbo.UserInfo u where a.UserId = u.tp_ID and a.SiteId = u.tp_SiteID;
From the Query pane, right-click and select
If the view is created, the following message is displayed in the results pane:
Command(s) completed successfully.
The dbo.AuditEvent view is created. You are now ready to configure the log source in QRadar to poll the view for audit events.