When you’ve got a SIEM appliance or application, you want actions and events going into it as a central repository. That allows you to see patterns and hopefully track incidents across systems. As a result, if you want to track actions in VMware’s vCenter and you’ve got the database hosted on SQL Server, you need to give access to the following two tables:
- VPX_EVENT
- VPX_EVENT_ARG
A standard tendency is to give the account that the SIEM product is using membership in the db_datareader role. Don’t do this. It’s a violation of the Principle of Least Privilege. It’s far better to create a user-defined role and granting it the appropriate permissions. Then make the account a member of the role. For instance:
USE VirtualCenterDB;
GO
CREATE ROLE [Auditor];
GO
GRANT SELECT ON OBJECT::dbo.VPX_EVENT TO [Auditor];
GRANT SELECT ON OBJECT::dbo.VPX_EVENT_ARG TO [Auditor];
GO
And then you make the user account being used by the SIEM product a member of the Auditor role.
