MSSQL

This document provides guidance on how to integrate Microsoft SQL Server with Google Security Operations SOAR.

Integration version: 14.0

Before you begin

This section helps you configure a Google SecOps remote agent (RHEL, CentOS, or Docker) to work with SQL Server using Kerberos authentication.

Configure a Google SecOps remote agent (RHEL or CentOS)

To configure a Google SecOps remote agent (RHEL or CentOS) to work with SQL Server, complete the following steps in the remote agent Linux shell:

Add your DNS servers to the /etc/resol.conf file: #vi /etc/resolv.conf
Install the krb5 package for CentOS 7: #yum install krb5-workstation
Open the /etc/krb5.conf file and add your domain as default_realm with uppercase: #vi etc/krb5.conf
Test connection with Active Directory. Use a user that has access to the SQL Server database: #kinit sql_user
Input your user password.
Show the obtained ticket: #klist
Optional: Remove the kerberos ticket: #kdestroy -A

For more information about creating a remote agent on CentOS using the Microsoft SQL integration, see Create agent with installer for CentOS.

Configure a Google SecOps remote agent (Docker)

To configure a Google SecOps remote agent (Docker) to work with SQL Server, complete the following steps in the remote agent Linux shell:

Run a shell in a docker container: docker exec -it siemplify /bin/bash
Add your domain DNS servers to the /etc/resol.conf file: #vi /etc/resolv.conf
Install the krb5 package for CentOS 7: #yum install krb5-workstation
Open the /etc/krb5.conf file and add your domain as default_realm with uppercase: #vi etc/krb5.conf
Obtain a kerberos ticket. Use a user that has access to the SQL Server database: #kinit sql_user
Enter your user password.
Show the obtained ticket: #klist
Optional: Remove the kerberos ticket: #kdestroy -A

For more information about creating a remote agent on Docker, see Create agent with Docker.

Optional: Install SQL Server tools for debugging

To install the SQL Server tools for debugging, complete the following steps in the remote agent Linux shell:

Add the Microsoft repository: # curl https://packages.microsoft.com/config/rhel/7/prod.repo > /etc/yum.repos.d/msprod.repo
Install SQL Server tools: # yum install mssql-tools unixODBC-devel

Binaries are installed in the following directory: /opt/mssql-tools/bin.
Test the connection to SQL Server: #kinit sql_user
Run the following command: /opt/mssql-tools/bin/sqlcmd -S sqlserver.yourdomain.com -E

Integrate MSSQL with Google SecOps

The integration requires the following parameters:

Parameters	Description
`Server Address`	Required An address of the SQL Server instance. The default value is `sqlserver.DOMAIN.com`.
`Username`	Optional The username of the SQL Server instance.
`Password`	Optional The user password.
`Port`	Optional The port to use in the integration.
`Windows Authentication`	Optional If selected, the integration authenticates using the Windows authentication. Not selected by default.
`Use Kerberos Authentication`	Optional If selected, the integration authenticates using the Kerberos authentication. Not selected by default.
`Kerberos Realm`	Optional The Kerberos realm value.
`Kerberos Username`	Optional The username for the Kerberos authentication.
`Kerberos Password`	Optional The password for the Kerberos authentication.
`Verify SSL`	Optional If selected, the integration verifies that the SSL certificate for the connection to the SQL Server is valid. Selected by default. This parameter applies only for the Microsoft ODBC driver for SQL Server version 18. If the Google SecOps server host runs earlier ODBC driver versions, the integration ignores this parameter.

For instructions about configuring an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if necessary. After you configure an integration instance, you can use it in playbooks. For more information on configuring and supporting multiple instances, see Supporting multiple instances.

Actions

The SQL Server integration includes the following actions:

Ping
Run SQL Query

Ping

Use the Ping action to test connectivity to the SQL Server.

This action runs on all entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Not available
Script result	Available

Script result

The following table describes the values for the script result output when using the Ping action:

Script result name	Value
`is_success`	`True` or `False`

Run SQL Query

Use the Run SQL Query action to run SQL queries.

This action runs on all entities.

Action inputs

The Run SQL Query action requires the following parameters:

Parameters Description

Parameters	Description
`Database Name`	Required The database name to run the query on.
	Required The query to run. The default value is `SELECT * FROM <>`.

Database Name

Required

The database name to run the query on.

Required

The query to run.

The default value is SELECT * FROM <>.

Action outputs

The Run SQL Query action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Not available
Script result	Available

JSON result

The following shows an example of the JSON result output received when using the Run SQL Query action:

[
    {
        "Name": "Actions Monitor System",
        "Creator": "System",
        "Integration": "Example",
        "VersionId": "VERSION_ID",
        "ModificationTimenixTimeInMs": 1558278307098,
        "Description": "Notifies of all the actions, that have individually failed at least 3 times, in the last 3 hours"
    },{
        "Name": "Jobs Monitor System",
        "Creator": "System",
        "Integration": "Example",
        "VersionId": "VERSION_ID",
        "ModificationTimenixTimeInMs": 1558278307098,
        "Description": "Notifies of all the jobs, that have individually failed at least 3 times, in the last 3 hours"
    }
]

Script result

The following table describes the values for the script result output when using the Run SQL Query action:

Script result name	Value
`is_blocked`	`True` or `False`