Microsoft SharePoint uses SQL Server Management Studio (SSMS) to manage the SharePoint SQL databases. To collect audit event data, you must create a database view on your Microsoft SharePoint server that is accessible to IBM®
QRadar®.
Before you begin
Do not use a period (.) in the name of your view, or in any of the table names. If you use a
period in your view or table name, JDBC cannot access the data within the view and access is denied.
Anything after a (.) is treated as a child object.
Procedure
-
Log in to the system that hosts your Microsoft SharePoint SQL database.
-
From the Start menu, select Run.
-
Type the following command:
-
Click OK.
The Microsoft SQL Server 2008 displays the Connect to Server window.
-
Log in to your Microsoft SharePoint database.
-
Click Connect.
-
From the Object Explorer for your SharePoint database, click .
-
From the navigation menu, click New Query.
-
In the Query pane, type the following Transact-SQL statement to create the
AuditEvent database view:
create view dbo.AuditEvent as select a.siteID
,a.ItemId ,a.ItemType ,u.tp_Title as "User" ,a.MachineName ,a.MachineIp ,a.DocLocation ,a.LocationType ,a.Occurred as "EventTime" ,a.Event as "EventID" ,a.EventName ,a.EventSource ,a.SourceName ,a.EventData
from WSS_Content.dbo.AuditData a, WSS_Content.dbo.UserInfo u where a.UserId = u.tp_ID and a.SiteId = u.tp_SiteID;
-
From the Query pane, right-click and select
Execute.
If the view is created, the following message is displayed in the results pane:
Command(s) completed successfully.
The dbo.AuditEvent view is created. You are now ready to configure the log
source in QRadar to poll the
view for audit events.