Dallas Lock 8.0 Сервер Безопасности сбор из СУБД MS SQL

Данное руководство описывает процесс настройки сбора и отправки событий Dallas Lock 8.0 Сервер безопасности в R-Vision SIEM.

Предварительные требования

  • Сетевая доступность между R-Vision SIEM и СУБД Dallas Lock 8.0 Сервер Безопасности (tcp/1433).

  • Учетная запись в СУБД с правами на чтение таблиц используемых Dallas Lock (Сбор событий из БД).

Настройка в СУБД MS SQL

Для сбора событий Dallas Lock СБ из базы данных MS SQL необходимо настроить подключение R-Vision SIEM под служебной УЗ с соответствующими правами.

Создание учетной записи в СУБД MS SQL

Чтобы создать сервисную УЗ, подключитесь к СУБД с правами администратора. Для этого выполните следующие действия в SQL Server Management Studio:

  1. Выберите New Login в контекстном меню для Security/Logins.

    dallas lock sb mssql 1

  2. Создайте сервисную учетную запись.

    dallas lock sb mssql 2

  3. Предоставьте учетной записи права на чтение базы Dallas Lock.

    dallas lock sb mssql 3

Настройка сервера MS SQL

В настройках SQL Server Configuration Manager убедитесь, что TCP/IP включен в конфигурации сети SQL Server.

dallas lock sb mssql 4

Настройка Dallas Lock 8.0 Сервер Безопасности

Необходимо настроить периодичность сбора событий с конечных АРМ на Сервер Безопасности. Для этого:

  1. Нажмите на значок в левом верхнем углу и в раскрывшимся меню нажмите Параметры сервера безопасности.

    dallas lock sb settings 1

  2. На вкладках WINDOWS и LINUX установите минимально возможную частоту сбора журналов: 5 минут.

    dallas lock sb settings 2

  3. Нажмите ОК.

Сервер Безопасности Dallas Lock настроен.

Настройка в R-Vision SIEM

Для интеграции источника с R-Vision SIEM выполните следующие действия:

  1. В интерфейсе R-Vision SIEM создайте новый конвейер в коллекторе.

  2. Добавьте на конвейер элемент Точка входа со следующими параметрами:

    • Тип точки входа: Database.

    • SQL-запрос:

      SQL-запрос
      SELECT TOP 10000 'CONNECT' AS journal_name
          ,recID AS connect_rec_id
          ,dateAndTime AS event_date
          ,clientName AS client_name
          ,mandatLevel AS mandat_level
          ,userName AS user_name
          ,result AS result
          ,processName AS process_name
          ,processID as process_id
          ,permit AS permit
          ,EventOnConnect AS event_on_connect
          ,DnsName AS dns_name
          ,protocol AS protocol
          ,localAddress AS local_address
          ,(LocalPort & 255) * 256 | cast((LocalPort/256) & 255 as bigint) AS local_port
          ,RemoteAddress AS remote_address
          ,(RemotePort & 255) * 256 | cast((RemotePort/256) & 255 as bigint) AS remote_port
          ,inDataLen AS in_bytes
          ,outDataLen AS out_bytes
          ,ruleId AS rule_id
          ,NULL AS alarm_level
          ,NULL AS rule_action
          ,AddressType AS address_type
          ,NULL AS src_address
          ,NULL AS dst_address
          ,NULL AS signature_number
          ,NULL AS signature_info
          ,NULL AS computer_name
          ,NULL AS comment
          ,NULL as parameter
          ,NULL as action
          ,NULL as type_of_attack
          ,NULL as target_user_name
          ,NULL AS latest_protocol_id
          ,NULL AS direction
          ,NULL AS bytes
          ,NULL AS resource
          ,NULL AS printer_name
          ,NULL AS document
          ,NULL AS printer_port
          ,NULL AS pages_printed
          ,NULL AS copies_printed
          ,NULL AS shadow_copy
          ,NULL AS wrong_user_pw
          ,NULL AS logon_mode
      FROM [dbo].[Connect] where dateAndTime >= DATEADD(MINUTE, -5, GetDate())
      UNION ALL
      
      SELECT TOP 10000 'PACKETS' AS journal_name
          ,recID AS packets_rec_id
          ,dateAndTime AS event_date
          ,clientName AS client_name
          ,mandatLevel AS mandat_level
          ,userName AS user_name
          ,result AS result
          ,processName AS process_name
          ,processID as process_id
          ,permit AS permit
          ,NULL AS event_on_connect
          ,DnsName AS dns_name
          ,NULL AS protocol
          ,localAddress AS local_address
          ,(LocalPort & 255) * 256 | cast((LocalPort/256) & 255 as bigint) AS local_port
          ,RemoteAddress AS remote_address
          ,(RemotePort & 255) * 256 | cast((RemotePort/256) & 255 as bigint) AS remote_port
          ,NULL AS in_bytes
          ,NULL AS out_bytes
          ,ruleId AS rule_id
          ,NULL AS alarm_level
          ,NULL AS rule_action
          ,AddressType AS address_type
          ,NULL AS src_address
          ,NULL AS dst_address
          ,NULL AS signature_number
          ,NULL AS signature_info
          ,NULL as computer_name
          ,NULL AS comment
          ,NULL as parameter
          ,NULL as action
          ,NULL as type_of_attack
          ,NULL as target_user_name
          ,LatestProtocolID AS latest_protocol_id
          ,direction AS direction
          ,length AS bytes
          ,NULL AS resource
          ,NULL AS printer_name
          ,NULL AS document
          ,NULL AS printer_port
          ,NULL AS pages_printed
          ,NULL AS copies_printed
          ,NULL AS shadow_copy
          ,NULL AS wrong_user_pw
          ,NULL AS logon_mode
      FROM [dbo].[Packets] where dateAndTime >= DATEADD(MINUTE, -5, GetDate())
      UNION ALL
      
      SELECT TOP 10000 'IPS_TRAFFIC' AS journal_name
          ,recID AS traffic_rec_id
          ,dateAndTime AS event_date
          ,clientName AS client_name
          ,mandatLevel AS mandat_level
          ,userName AS user_name
          ,result AS result
          ,processName AS process_name
          ,processID AS process_id
          ,NULL AS permit
          ,NULL AS event_on_connect
          ,NULL AS dns_name
          ,protocol AS protocol
          ,NULL AS local_address
          ,NULL AS local_port
          ,NULL AS remote_address
          ,NULL AS remote_port
          ,NULL AS in_bytes
          ,NULL AS out_bytes
          ,NULL AS rule_id
          ,AlarmLevel AS alarm_level
          ,ruleAction AS rule_action
          ,AddressType AS address_type
          ,SourceAddress AS src_address
          ,DestAddress AS dst_address
          ,SignatureNumber AS signature_number
          ,Info AS signature_info
          ,NULL AS computer_name
          ,comment AS comment
          ,NULL AS parameter
          ,NULL AS action
          ,NULL AS type_of_attack
          ,NULL as target_user_name
          ,NULL AS latest_protocol_id
          ,NULL AS direction
          ,NULL AS bytes
          ,NULL AS resource
          ,NULL AS printer_name
          ,NULL AS document
          ,NULL AS printer_port
          ,NULL AS pages_printed
          ,NULL AS copies_printed
          ,NULL AS shadow_copy
          ,NULL AS wrong_user_pw
          ,NULL AS logon_mode
      FROM [dbo].[IPS_Traffic] where dateAndTime >= DATEADD(MINUTE, -5, GetDate())
      UNION ALL
      
      SELECT TOP 10000 'PROCESS' AS journal_name
          ,recID AS processes_rec_id
          ,dateAndTime AS event_date
          ,clientName AS client_name
          ,mandatLevel AS mandat_level
          ,userName AS user_name
          ,result AS result
          ,processName AS process_name
          ,processID AS process_id
          ,NULL AS permit
          ,NULL AS event_on_connect
          ,NULL AS dns_name
          ,NULL AS protocol
          ,NULL AS local_address
          ,NULL AS local_port
          ,NULL AS remote_address
          ,NULL AS remote_port
          ,NULL AS in_bytes
          ,NULL AS out_bytes
          ,NULL AS rule_id
          ,NULL AS alarm_level
          ,NULL AS rule_action
          ,NULL AS address_type
          ,NULL AS src_address
          ,NULL AS dst_address
          ,NULL AS signature_number
          ,NULL AS signature_info
          ,NULL AS computer_name
          ,NULL AS comment
          ,NULL AS parameter
          ,action AS action
          ,NULL AS type_of_attack
          ,NULL as target_user_name
          ,NULL AS latest_protocol_id
          ,NULL AS direction
          ,NULL AS bytes
          ,NULL AS resource
          ,NULL AS printer_name
          ,NULL AS document
          ,NULL AS printer_port
          ,NULL AS pages_printed
          ,NULL AS copies_printed
          ,NULL AS shadow_copy
          ,NULL AS wrong_user_pw
          ,NULL AS logon_mode
      FROM [dbo].[Process] where dateAndTime >= DATEADD(MINUTE, -5, GetDate())
      UNION ALL
      
      SELECT TOP 10000 'IPS_APP_CTRL' AS journal_name
          ,recID AS app_ctrl_rec_id
          ,dateAndTime AS event_date
          ,clientName AS client_name
          ,mandatLevel AS mandat_level
          ,userName AS user_name
          ,result AS result
          ,processName AS process_name
          ,processID AS process_id
          ,permit AS permit
          ,NULL AS event_on_connect
          ,NULL AS dns_name
          ,NULL AS protocol
          ,NULL AS local_address
          ,NULL AS local_port
          ,NULL AS remote_address
          ,NULL AS remote_port
          ,NULL AS in_bytes
          ,NULL AS out_bytes
          ,NULL AS rule_id
          ,NULL AS alarm_level
          ,NULL AS rule_action
          ,NULL AS address_type
          ,NULL AS src_address
          ,NULL AS dst_address
          ,NULL AS signature_number
          ,NULL AS signature_info
          ,NULL AS computer_name
          ,comment AS comment
          ,NULL AS parameter
          ,NULL AS action
          ,TypeOfAttack AS type_of_attack
          ,NULL as target_user_name
          ,NULL AS latest_protocol_id
          ,NULL AS direction
          ,NULL AS bytes
          ,NULL AS resource
          ,NULL AS printer_name
          ,NULL AS document
          ,NULL AS printer_port
          ,NULL AS pages_printed
          ,NULL AS copies_printed
          ,NULL AS shadow_copy
          ,NULL AS wrong_user_pw
          ,NULL AS logon_mode
      FROM [dbo].[IPS_App_Ctrl] where dateAndTime >= DATEADD(MINUTE, -5, GetDate())
      UNION ALL
      
      SELECT TOP 10000 'ACCOUNT' AS journal_id
          ,recID AS accounts_rec_id
          ,dateAndTime AS event_date
          ,clientName AS client_name
          ,mandatLevel AS mandat_level
          ,userName AS user_name
          ,result AS result
          ,NULL AS process_name
          ,NULL AS process_id
          ,NULL AS permit
          ,NULL AS event_on_connect
          ,NULL AS dns_name
          ,NULL AS protocol
          ,NULL AS local_address
          ,NULL AS local_port
          ,NULL AS remote_address
          ,NULL AS remote_port
          ,NULL AS in_bytes
          ,NULL AS out_bytes
          ,NULL AS rule_id
          ,NULL AS alarm_level
          ,NULL AS rule_action
          ,NULL AS address_type
          ,NULL AS src_address
          ,NULL AS dst_address
          ,NULL AS signature_number
          ,NULL AS signature_info
          ,computerName AS computer_name
          ,comment AS comment
          ,NULL AS parameter
          ,action AS action
          ,NULL AS type_of_attack
          ,targetUserName as target_user_name
          ,NULL AS latest_protocol_id
          ,NULL AS direction
          ,NULL AS bytes
          ,NULL AS resource
          ,NULL AS printer_name
          ,NULL AS document
          ,NULL AS printer_port
          ,NULL AS pages_printed
          ,NULL AS copies_printed
          ,NULL AS shadow_copy
          ,NULL AS wrong_user_pw
          ,NULL AS logon_mode
      FROM [dbo].[Account] where dateAndTime >= DATEADD(MINUTE, -5, GetDate())
      UNION ALL
      
      SELECT TOP 10000 'POLICY' AS journal_name
          ,recID AS policies_rec_id
          ,dateAndTime AS event_date
          ,clientName AS client_name
          ,mandatLevel AS mandat_level
          ,userName AS user_name
          ,result AS result
          ,NULL AS process_name
          ,NULL AS process_id
          ,NULL AS permit
          ,NULL AS event_on_connect
          ,NULL AS dns_name
          ,NULL AS protocol
          ,NULL AS local_address
          ,NULL AS local_port
          ,NULL AS remote_address
          ,NULL AS remote_port
          ,NULL AS in_bytes
          ,NULL AS out_bytes
          ,NULL AS rule_id
          ,NULL AS alarm_level
          ,NULL AS rule_action
          ,NULL AS address_type
          ,NULL AS src_address
          ,NULL AS dst_address
          ,NULL AS signature_number
          ,NULL AS signature_info
          ,computerName AS computer_name
          ,comment AS comment
          ,parameter AS parameter
          ,action AS action
          ,NULL AS type_of_attack
          ,NULL as target_user_name
          ,NULL AS latest_protocol_id
          ,NULL AS direction
          ,NULL AS bytes
          ,NULL AS resource
          ,NULL AS printer_name
          ,NULL AS document
          ,NULL AS printer_port
          ,NULL AS pages_printed
          ,NULL AS copies_printed
          ,NULL AS shadow_copy
          ,NULL AS wrong_user_pw
          ,NULL AS logon_mode
      FROM [dbo].[Policy] where dateAndTime >= DATEADD(MINUTE, -5, GetDate())
      UNION ALL
      
      SELECT TOP 10000 'ACCESS' AS journal_name
          ,recID AS access_rec_id
          ,dateAndTime AS event_date
          ,clientName AS client_name
          ,mandatLevel AS mandat_level
          ,userName AS user_name
          ,result AS result
          ,processName AS process_name
          ,NULL AS process_id
          ,NULL AS permit
          ,NULL AS event_on_connect
          ,NULL AS dns_name
          ,NULL AS protocol
          ,NULL AS local_address
          ,NULL AS local_port
          ,NULL AS remote_address
          ,NULL AS remote_port
          ,NULL AS in_bytes
          ,NULL AS out_bytes
          ,NULL AS rule_id
          ,NULL AS alarm_level
          ,NULL AS rule_action
          ,NULL AS address_type
          ,NULL AS src_address
          ,NULL AS dst_address
          ,NULL AS signature_number
          ,NULL AS signature_info
          ,computerName AS computer_name
          ,NULL AS comment
          ,NULL AS parameter
          ,action AS action
          ,NULL AS type_of_attack
          ,NULL as target_user_name
          ,NULL AS latest_protocol_id
          ,NULL AS direction
          ,NULL AS bytes
          ,resource AS resource
          ,NULL AS printer_name
          ,NULL AS document
          ,NULL AS printer_port
          ,NULL AS pages_printed
          ,NULL AS copies_printed
          ,shadowCopy AS shadow_copy
          ,NULL AS wrong_user_pw
          ,NULL AS logon_mode
      FROM [dbo].[Access] where dateAndTime >= DATEADD(MINUTE, -5, GetDate())
      UNION ALL
      
      SELECT TOP 10000 'PRINT' AS journal_name
          ,recID AS print_rec_id
          ,dateAndTime AS event_date
          ,clientName AS client_name
          ,mandatLevel AS mandat_level
          ,userName AS user_name
          ,result AS result
          ,processName AS process_name
          ,NULL AS process_id
          ,NULL AS permit
          ,NULL AS event_on_connect
          ,NULL AS dns_name
          ,NULL AS protocol
          ,NULL AS local_address
          ,NULL AS local_port
          ,NULL AS remote_address
          ,NULL AS remote_port
          ,NULL AS in_bytes
          ,NULL AS out_bytes
          ,NULL AS rule_id
          ,NULL AS alarm_level
          ,NULL AS rule_action
          ,NULL AS address_type
          ,NULL AS src_address
          ,NULL AS dst_address
          ,NULL AS signature_number
          ,NULL AS signature_info
          ,computerName AS computer_name
          ,NULL AS comment
          ,NULL AS parameter
          ,NULL AS action
          ,NULL AS type_of_attack
          ,NULL as target_user_name
          ,NULL AS latest_protocol_id
          ,NULL AS direction
          ,NULL AS bytes
          ,NULL AS resource
          ,printerName AS printer_name
          ,document AS document
          ,port AS printer_port
          ,pagesPrinted AS pages_printed
          ,copies AS copies_printed
          ,shadowCopy AS shadow_copy
          ,NULL AS wrong_user_pw
          ,NULL AS logon_mode
      FROM [dbo].[Printer] where dateAndTime >= DATEADD(MINUTE, -5, GetDate())
      UNION ALL
      
      SELECT TOP 10000 'LOGON' AS journal_name
          ,recID AS logon_rec_id
          ,dateAndTime AS event_date
          ,clientName AS client_name
          ,mandatLevel AS mandat_level
          ,userName AS user_name
          ,result AS result
          ,NULL AS process_name
          ,NULL AS process_id
          ,NULL AS permit
          ,NULL AS event_on_connect
          ,NULL AS dns_name
          ,NULL AS protocol
          ,NULL AS local_address
          ,NULL AS local_port
          ,NULL AS remote_address
          ,NULL AS remote_port
          ,NULL AS in_bytes
          ,NULL AS out_bytes
          ,NULL AS rule_id
          ,NULL AS alarm_level
          ,NULL AS rule_action
          ,NULL AS address_type
          ,NULL AS src_address
          ,NULL AS dst_address
          ,NULL AS signature_number
          ,NULL AS signature_info
          ,computerName AS computer_name
          ,NULL AS comment
          ,NULL AS parameter
          ,NULL AS action
          ,NULL AS type_of_attack
          ,NULL as target_user_name
          ,NULL AS latest_protocol_id
          ,NULL AS direction
          ,NULL AS bytes
          ,NULL AS resource
          ,NULL AS printer_name
          ,NULL AS document
          ,NULL AS printer_port
          ,NULL AS pages_printed
          ,NULL AS copies_printed
          ,NULL AS shadow_copy
          ,wrongUserPW AS wrong_user_pw
          ,logonMode AS logon_mode
      FROM [dbo].[Logon] where dateAndTime >= DATEADD(MINUTE, -5, GetDate())
      В представленном запросе из каждой таблицы собирается по 10 000 событий. Если возникает проблема с выгрузкой событий рекомендует понизить количество событий, собираемых одним запросом.
    • База данных: MS SQL.

    • Интервал запроса: 120 секунд.

    • Поле идентификатора: нет.

    • Строка подключения в секрете:

      jdbc:sqlserver://DBSERVER:1433;encrypt=false;databaseName=DBNAME;user=dl_reader;password=passw0rd

      Здесь:

      • DBSERVER — FQDN или IP-адрес сервера СУБД.

      • DBNAME — название экземпляра БД.

      • 1433 — порт подключения.

      Создание секрета описано в разделе Настройка секрета database в R-Vision SIEM.
  3. Добавьте на конвейер элемент Нормализатор с правилом "RV-N-134". Соедините нормализатор с точкой входа.

  4. Добавьте на конвейер элемент Конечная точка типа Хранилище событий. Соедините конечную точку с нормализатором.

  5. Сохраните и установите конфигурацию конвейера.

Пример конфигурации конвейера:

dallas lock sb mssql pipeline

Если настройка выполнена корректно, в хранилище начнут поступать события из MS SQL.

Найти события из MS SQL в хранилище можно по следующему фильтру:

dvendor = Confident

dallas lock ecu psql events

Настройка секрета database в R-Vision SIEM

Чтобы создать секрет подключения к СУБД:

  1. В интерфейсе R-Vision SIEM перейдите в раздел Ресурсы → Секреты.

  2. Нажмите на кнопку Создать.

  3. В открывшемся окне заполните поля:

    • Название — введите название секрета.

    • Описание (опционально) — введите назначение секрета.

    • Тип секрета — выберите вариант Строка подключения.

    • Строка подключения — укажите данные для подключения к СУБД.

  4. Нажмите на кнопку Создать.

dallas lock sb mssql secret

Таблица маппинга

Таблица соответствия полей события для всех рассмотренных типов событий представлена по ссылке.