We want to get CA remote Control Previus session logs to SIEM. We tied to export All Previous RC Sessions report to csv file and then collect them to qradar. But this is not so suitable. Is here andy Database table to use for this purpose.
I was looking at the export of the previous sessions and you could choose the option export to ODBC Database Table
I am not sure if this would help you to integrate with SIEM but may be a better option than a .csv export.
Hope this is helpful
Thanks for reply. Exporting to an external database is sounds good. I will try this.
If your RC events are configured to write to the Windows event logs, you could have an event collector (qradar) send it to your SIEM.
Writing to event logs is a good idea. But I dont know how can I can configure this.
Check under the policy
URC Policy \ Remote Control \ Event Logging \ Host Events
Remote control session started
Remote control session stopped
That may help
The configuration policy needs to be updated in a couple places.
1) Update the remote control event logging
2) Update the event log destination
Once they are in the OS event logs, you should be able to capture them with the SIEM tool. DB queries/export/imports are not necessary.
The active and preivous RC Sessions are stored in SQL table : urc_active_session.
For example following query returns details about the previous RC Sessions :
SELECT dateadd ( ss, datesessionstarted + datediff(ss,getutcdate(),getdate()), convert(datetime,'19700101')) 'Start Time',
strhost 'Host', strviewer 'Viewer', strremoteuser 'Remote User', iduration 'Duration'
Thank you very much for your support. Both methods are useful.