Microsoft Endpoint Protection JDBC log source parameters for predefined database queries
Predefined queries are customized statements that can join data from separate tables when the database is polled by the JDBC protocol. To successfully poll for audit data from the Microsoft Endpoint Protection database, create a new user or provide the log source with existing user credentials. For more information about creating a user account, see the Microsoft website (https://www.microsoft.com).
When using the JDBC protocol, there are specific parameters that you must use.
|
Parameter |
Description |
|---|---|
| Log Source Name | Type a unique name for the log source. |
| Log Source Description (Optional) | Type a description for the log source. |
| Log Source Type | Microsoft Endpoint Protection |
| Protocol Configuration | JDBC |
| Log Source Identifier |
Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol. If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2. |
| Database Type |
MSDE |
| Database Name | The name of the database to which you want to connect. |
| IP or Hostname |
Type the IP address or host name of the Microsoft Endpoint Protection SQL Server. |
| Port |
Type the port number that is used by the database server. The default port for MSDE is 1433. The JDBC configuration port must match the listener port of the Microsoft Endpoint Protection database. The Microsoft Endpoint Protection database must have incoming TCP connections that are enabled to communicate with QRadar. If you define a Database Instance when MSDE is used as the database type, you must leave the Port field blank in your configuration. |
| Username |
Type the user name the log source can use to access the Microsoft Endpoint Protection database. |
| Password |
Type the password the log source can use to access the Microsoft Endpoint Protection database. The password can be up to 255 characters in length. |
| Confirm Password |
Confirm the password that is used to access the database. The confirmation password must be identical to the password entered in the Password field. |
| Authentication Domain |
If you did not select Use Microsoft JDBC, Authentication Domain is displayed. If you select MSDE as the Database Type and the database is configured for Windows Authentication, you must populate the Authentication Domain field. Otherwise, leave this field blank. |
| Database Instance |
If you have multiple SQL server instances on your database server, type the database instance. If you use a non-standard port in your database configuration, or block access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration. |
| Predefined Query | From the list, select Microsoft Endpoint Protection. |
| Table Name | The name of the table or view that includes the event records. The table name can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period (.). |
| Select List | The list of fields to include when the table is polled for events. You can use a comma-separated list or type an asterisk (*) to select all fields from the table or view. If a comma-separated list is defined, the list must contain the field that is defined in the Compare Field. |
| Compare Field | A numeric value or time stamp field from the table or view that identifies new events that are added to the table between queries. Enables the protocol to identify events that were previously polled by the protocol to ensure that duplicate events are not created. |
| Use Prepared Statements |
Select the Use Prepared Statements check box. Prepared statements allow the JDBC protocol source to set up the SQL statement one time, then run the SQL statement many times with different parameters. For security and performance reasons, it is suggested that you use prepared statements. Clearing this checkbox requires you to use an alternative method of querying that does not use pre-compiled statements. |
| Start Date and Time (Optional) |
Type the start date and time for database polling. The Start Date and Time parameter must be formatted as yyyy-MM-dd HH: mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval. |
| Polling Interval |
Type the polling interval, which is the amount of time between queries to the view you created. The default polling interval is 10 seconds. You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds. |
| EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The valid range is 100 to 20,000. |
| Use Named Pipe Communication |
If you did not select Use Microsoft JDBC, Use Named Pipe Communication is displayed. MSDE databases require the username and password field to use a Windows authentication user name and password and not the database user name and password. The log source configuration must use the default that is named pipe on the MSDE database. |
| Database Cluster Name |
If you selected the Use Named Pipe Communication, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly. |
| Use NTLMv2 |
If you did not select Use Microsoft JDBC, Use NTLMv2 is displayed. Select the Use NTLMv2 check box. This option forces MSDE connections to use the NTLMv2 protocol when they communicate with SQL servers that require NTLMv2 authentication. The default value of the check box is selected. If the Use NTLMv2 check box is selected, it has no effect on MSDE connections to SQL servers that do not require NTLMv2 authentication. |
| Use Microsoft JDBC |
If you want to use the Microsoft JDBC driver, you must enable Use Microsoft JDBC. |
| Use SSL | If your connection supports SSL communication, select Use SSL. This option requires extra configuration on your Endpoint Protection database and also requires administrators to configure certificates on both appliances. |
| Microsoft SQL Server Hostname | If you selected Use Microsoft JDBC and Use
SSL, the Microsoft SQL Server Hostname parameter is displayed.
You must type the hostname for the Microsoft SQL server. |
For a complete list of JDBC protocol parameters and their values, see c_logsource_JDBCprotocol.html.