Console
    Contact Us Start free

    MSSQL

    This document provides guidance on how to integrate Microsoft SQL Server with Google Security Operations SOAR.

    Integration version: 14.0

    Before you begin

    This section helps you configure a Google SecOps remote agent (RHEL, CentOS, or Docker) to work with SQL Server using Kerberos authentication.

    Configure a Google SecOps remote agent (RHEL or CentOS)

    To configure a Google SecOps remote agent (RHEL or CentOS) to work with SQL Server, complete the following steps in the remote agent Linux shell:

    1. Add your DNS servers to the /etc/resol.conf file: #vi /etc/resolv.conf

    2. Install the krb5 package for CentOS 7: #yum install krb5-workstation

    3. Open the /etc/krb5.conf file and add your domain as default_realm with uppercase: #vi etc/krb5.conf

    4. Test connection with Active Directory. Use a user that has access to the SQL Server database: #kinit sql_user

    5. Input your user password.

    6. Show the obtained ticket: #klist

    7. Optional: Remove the kerberos ticket: #kdestroy -A

    For more information about creating a remote agent on CentOS using the Microsoft SQL integration, see Create agent with installer for CentOS .

    Configure a Google SecOps remote agent (Docker)

    To configure a Google SecOps remote agent (Docker) to work with SQL Server, complete the following steps in the remote agent Linux shell:

    1. Run a shell in a docker container: docker exec -it siemplify /bin/bash

    2. Add your domain DNS servers to the /etc/resol.conf file: #vi /etc/resolv.conf

    3. Install the krb5 package for CentOS 7: #yum install krb5-workstation

    4. Open the /etc/krb5.conf file and add your domain as default_realm with uppercase: #vi etc/krb5.conf

    5. Obtain a kerberos ticket. Use a user that has access to the SQL Server database: #kinit sql_user

    6. Enter your user password.

    7. Show the obtained ticket: #klist

    8. Optional: Remove the kerberos ticket: #kdestroy -A

    For more information about creating a remote agent on Docker, see Create agent with Docker .

    Optional: Install SQL Server tools for debugging

    To install the SQL Server tools for debugging, complete the following steps in the remote agent Linux shell:

    1. Add the Microsoft repository: # curl https://packages.microsoft.com/config/rhel/7/prod.repo > /etc/yum.repos.d/msprod.repo

    2. Install SQL Server tools: # yum install mssql-tools unixODBC-devel

      Binaries are installed in the following directory: /opt/mssql-tools/bin .

    3. Test the connection to SQL Server: #kinit sql_user

    4. Run the following command: /opt/mssql-tools/bin/sqlcmd -S sqlserver.yourdomain.com -E

    Integrate MSSQL with Google SecOps

    The integration requires the following parameters:

    Parameters Description
    Server Address Required

    An address of the SQL Server instance.

    The default value is sqlserver. DOMAIN .com .
    Username Optional

    The username of the SQL Server instance.
    Password Optional

    The user password.
    Port Optional

    The port to use in the integration.
    Windows Authentication Optional

    If selected, the integration authenticates using the Windows authentication.

    Not selected by default.
    Use Kerberos Authentication Optional

    If selected, the integration authenticates using the Kerberos authentication.

    Not selected by default.
    Kerberos Realm Optional

    The Kerberos realm value.
    Kerberos Username Optional

    The username for the Kerberos authentication.
    Kerberos Password Optional

    The password for the Kerberos authentication.
    Verify SSL Optional

    If selected, the integration verifies that the SSL certificate for the connection to the SQL Server is valid.

    Selected by default.

    This parameter applies only for the Microsoft ODBC driver for SQL Server version 18. If the Google SecOps server host runs earlier ODBC driver versions, the integration ignores this parameter.

    For instructions about configuring an integration in Google SecOps, see Configure integrations .

    You can make changes at a later stage, if necessary. After you configure an integration instance, you can use it in playbooks. For more information on configuring and supporting multiple instances, see Supporting multiple instances .

    Actions

    The SQL Server integration includes the following actions:

    Ping

    Use the Pingaction to test connectivity to the SQL Server.

    This action runs on all entities.

    Action inputs

    None.

    Action outputs

    The Pingaction provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Not available
    Output messages Not available
    Script result Available
    Script result

    The following table describes the values for the script result output when using the Pingaction:

    Script result name Value
    is_success True or False

    Run SQL Query

    Use the Run SQL Queryaction to run SQL queries.

    This action runs on all entities.

    Action inputs

    The Run SQL Queryaction requires the following parameters:

    Parameters Description
    Database Name Required

    The database name to run the query on.
    Required

    The query to run.

    The default value is SELECT * FROM <> .

    Action outputs

    The Run SQL Queryaction provides the following outputs:

    Action output type Availability
    Case wall attachment Not available
    Case wall link Not available
    Case wall table Not available
    Enrichment table Not available
    JSON result Available
    Output messages Not available
    Script result Available
    JSON result

    The following shows an example of the JSON result output received when using the Run SQL Queryaction:

      [ 
  
 { 
  
 "Name" 
 : 
  
 "Actions Monitor System" 
 , 
  
 "Creator" 
 : 
  
 "System" 
 , 
  
 "Integration" 
 : 
  
 "Example" 
 , 
  
 "VersionId" 
 : 
  
 " VERSION_ID 
" 
 , 
  
 "ModificationTimenixTimeInMs" 
 : 
  
 1558278307098 
 , 
  
 "Description" 
 : 
  
 "Notifies of all the actions, that have individually failed at least 3 times, in the last 3 hours" 
  
 },{ 
  
 "Name" 
 : 
  
 "Jobs Monitor System" 
 , 
  
 "Creator" 
 : 
  
 "System" 
 , 
  
 "Integration" 
 : 
  
 "Example" 
 , 
  
 "VersionId" 
 : 
  
 " VERSION_ID 
" 
 , 
  
 "ModificationTimenixTimeInMs" 
 : 
  
 1558278307098 
 , 
  
 "Description" 
 : 
  
 "Notifies of all the jobs, that have individually failed at least 3 times, in the last 3 hours" 
  
 } 
 ]
    Script result

    The following table describes the values for the script result output when using the Run SQL Queryaction:

    Script result name Value
    is_blocked True or False

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: