CA Client Automation

Hi All,

We want to get CA remote Control Previus session logs to SIEM. We tied to export All Previous RC Sessions report to csv file and then collect them to qradar. But this is not so suitable. Is here andy Database table to use for this purpose.

Regards,

HI

I was looking at the export of the previous sessions and you could choose the option export to ODBC Database Table

I am not sure if this would help you to integrate with SIEM but may be a better option than a .csv export.

Hope this is helpful

Joe

Hi Wiegand,

Thanks for reply. Exporting to an external database is sounds good. I will try this.

Thanks,

If your RC events are configured to write to the Windows event logs, you could have an event collector (qradar) send it to your SIEM.

Hello Bill,

Writing to event logs is a good idea. But I dont know how can I can configure this.

Best Regards,

HI

Check under the policy

URC Policy \ Remote Control \ Event Logging \ Host Events

Remote control session started

Remote control session stopped

That may help

Thanks

Joe

The configuration policy needs to be updated in a couple places.

1) Update the remote control event logging

2) Update the event log destination

Once they are in the OS event logs, you should be able to capture them with the SIEM tool.  DB queries/export/imports are not necessary.

Hi Erhan,

The active and preivous RC Sessions are stored in SQL table : urc_active_session.

For example following query returns details about the previous RC Sessions :

SELECT dateadd ( ss, datesessionstarted + datediff(ss,getutcdate(),getdate()), convert(datetime,'19700101')) 'Start Time',

strhost 'Host', strviewer 'Viewer', strremoteuser 'Remote User', iduration 'Duration'

FROM urc_active_session

WHERE iduration>0

Thanks.

Regards,

Jean-Yves

Hi,

Thank you very much for your support. Both methods are useful.

Best Regards,