Glenda Absent Member.
Absent Member.

Re: SCCM 2012 / Endpoint Protection - Integration with ArcSight

I am getting the following error, Please help

[2014-05-19 23:34:57,202][ERROR][default.com.arcsight.agent.sdk.a.h.p][run]  java.lang.UnsupportedOperationException: Unable to detect database version. Tried version [sccm2012]. ERROR: [Invalid object name 'EP_Malware'.]

0 Likes
Reply
ivnyg
New Member.

Re: SCCM 2012 / Endpoint Protection - Integration with ArcSight

If someone is struggling with getting events from the SCCM connector and  the query is specified with ThreatCategories.LocaleID as in the ArcSight SCCM connector, this can explain why you are not getting the events you expext.

We are outside the US and therefore few machines are set up with LocaleID = 1033 as specified in the query:

ThreatCategories.LocaleID = 1033, so if outside US (or even there if you have foreign language workers in your environment) drop the "AND ThreatCategories.LocaleID = 1033" part of the query and you should get more results 🙂

good luck

Ivar

0 Likes
Reply
ivnyg
New Member.

Re: SCCM 2012 / Endpoint Protection - Integration with ArcSight

Hi

We were also getting duplicate events alerts.

I noticed that the RecordID of the events we got always increased by 16, so I suspected that there may be a bit overflow of some kind in the connector somewhere. The RecordID in our system is a large number , like: 72057594037938308 which is represented with a 57 bit binary number, or 15 hex numbers. A bit strange since a 32 bit would be more than 4 bits overflowed and a 64 bit should not overflow, so not sure what's going on.

Anyway I was able to fix the duplicate events alerts by adding the DetectionID to the uniqueid.fields:

uniqueid.fields=RecordID,DetectionID

You will still get the same RecordID populated for every 16 events, but now we get all the events at least. So there is a bit overflow somewhere in the connector or jdbc:odbc driver.

(We also had to get rid of the LocaleID = 1033 from the query, as we don't have US English locale)

Ivar

0 Likes
Reply
maabe Absent Member.
Absent Member.

Re: SCCM 2012 / Endpoint Protection - Integration with ArcSight

Hi, we are succefully retrieving the data from the SCCM database with our ConApp and the SCCM connector.

However we are not getting the information about the host that we would need. Only Machine-ID and not the hostname or IP-adress or anything. As I understand it, that information is located in another table in the database?

Would it be possible to get this information and still use the SCCM connector or do we have to create a flex connector?

Can I add rows in the table parameters to get this info?

RAW event:

DetectionSource=3,_DB_PORT=1433,ActionTime=1409544976000,DetectionID=73B0D14A-A8BC-4930-885B-5126C2C1BA48,RecordID=72057594037931342,SeverityID=5,LastMessageSerialNumber=7468,ThreatID=2147684208,UserID=16802436,CleaningAction=9,Path=file:_\XXX,ThreatName=Trojan:Win32/Wysotot!lnk,Process=C:\Windows\explorer.exe,MachineID=123456678,ExecutionStatus=1,ActionSuccess=1,PendingActions=0,LastMessageTime=1409545147877,_DB_NAME=XXX,_DB_URL=jdbc:sqlserver://XXX:1433;DatabaseName=XXX,_DB_DRIVER=com.microsoft.sqlserver.jdbc.SQLServerDriver,DetectionTime=1409311141273,CategoryID=0,_DB_HOST=XXX,ErrorCode=0,ProductVersion=4.5.0216.0

0 Likes
Reply
ivnyg
New Member.

Re: SCCM 2012 / Endpoint Protection - Integration with ArcSight

Hi Mattias,

I think you will have to create a flex connector. You will have to make joins to get the info about hostname and  user. The Readymade connector is closed so you cannot change it without the help from HP / Arcsight support.


Not too difficult to make one if you follow the query and tips in this thread. Got our's working  well now.

0 Likes
Reply
Highlighted
maabe Absent Member.
Absent Member.

Re: SCCM 2012 / Endpoint Protection - Integration with ArcSight

Hi Ivar and thank you for your reply. I think we will try to get our logs directly from the application events via WMI instead. If that doesn't work we will try the flex connector option.

0 Likes
Reply
StevenD Honored Contributor.
Honored Contributor.

Re: SCCM 2012 / Endpoint Protection - Integration with ArcSight

Craig;

     Did you ever find a resolution to your issue? We're implementing SCEP with a SQL 2012 backend as well and I need to get the events into ArcSight. Running into the same issues as you, tables aren't the same as the 2008R2 and the Canned connector doesn't recognize the database version. Any tips?

0 Likes
Reply
reswob4 Honored Contributor.
Honored Contributor.

Re: SCCM 2012 / Endpoint Protection - Integration with ArcSight

Sorry for the delay in replying.  No, we have not found a resolution, but we also moved on to other issues and have not circled back to try this again.

Sorry, I can't be of more help there...

0 Likes
Reply
sunil.jaiswal8 Super Contributor.
Super Contributor.

Re: SCCM 2012 / Endpoint Protection - Integration with ArcSight

Hi,

I am struggling to integrate SCCM 2012 with ArcSight. As per my understanding mix mode authentication should be used for DB user account.

DBA configured user account for windows authentication only. DBA is mentioning that using mixed mode authentication in not recommended by Microsoft. How you have done the setup for your SCCM 2012 server? It would great help for me if you can provide me screen shot for SCCM DB setup/configuration.

Regards,

Sunil

0 Likes
Reply
Super Contributor.. MuraliKV Super Contributor..
Super Contributor..

Re: SCCM 2012 / Endpoint Protection - Integration with ArcSight


Hi Sunil,

Here are the steps.

a) Copy sqljdbc_auth.dll to <installfolder>\current\lib\win32 folder

b) jdbc URL = jdbc\:sqlserver\://servername\:port;DatabaseName\=databasename;integratedSecurity\=true

c) Specify the domain id & password

d) The domain ID should be configured to start the connector service.

I hope this helps.

Thank you

Murali

0 Likes
Reply
sunil.jaiswal8 Super Contributor.
Super Contributor.

Re: SCCM 2012 / Endpoint Protection - Integration with ArcSight

Hi Murali,

Thank you very much for your response.

I am using connector appliance. SCCM DB is configured for windows authentication only for DB user. DBA is denying to use mixed mode authentication.  The smart connector "Microsoft Sysem Center Configuraion Manager DB"  is not able to connect SCCM DB with DB user account for windows authentication only. I need help from this community to understand how they have done the setup/configuration on their SCCM DB so that I can get guidance to move further on this implementation.

Regards,

Sunil Jaiswal

0 Likes
Reply
Super Contributor.. MuraliKV Super Contributor..
Super Contributor..

Re: SCCM 2012 / Endpoint Protection - Integration with ArcSight

Hi Sunil,

I am running the connector on a Windows server and using SQL server authentication to connect to the database.

Thank you

Murali

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.