From: https://www-secure.symantec.com/connect/forums/sql-querys-database
DECLARE @Hostname NVARCHAR(512)
SELECT @Hostname = '%%'
DECLARE @Groupname NVARCHAR(2000)
SELECT @Groupname = '%%'
SELECT Dateadd(hour, +2, Dateadd(second, ASL.event_time / 1000,
'1970/01/01 00:00')) AS
"EVENT-TIME",
ASL.host_name
AS "COMPUTER",
S.name
AS "SEPM",
G.name
AS "GROUP",
ASL.event_source
AS "EVENT-SOURCE",
ASL.event_desc
AS "DESCRIPTION",
ASL.event_data
AS "RULENAME",
'N/A'
AS "LOCAL-IP",
'N/A'
AS "REMOTE-IP",
'N/A'
AS "APPLICATION",
'N/A'
AS "LOCATION",
'N/A'
AS "INTRUSION URL",
NULL
AS "LOCAL-PORT",
NULL
AS "REMOTE-PORT"
FROM dbo.v_agent_system_log ASL
JOIN dbo.v_groups G
ON ASL.group_id = G.id
JOIN dbo.v_servers S
ON ASL.server_id = S.id
WHERE G.name LIKE @Groupname
AND ASL.host_name LIKE @Hostname
UNION ALL
SELECT Dateadd(hour, +2, Dateadd(second, ASL.event_time / 1000,
'1970/01/01 00:00')) AS
"EVENT-TIME",
ASL.host_name
AS "COMPUTER",
S.name
AS "SEPM",
G.name
AS "GROUP",
'N/A'
AS "EVENT-SOURCE",
ASL.event_desc
AS "DESCRIPTION",
'N/A'
AS "RULENAME",
ASL.local_host_ip_text
AS "LOCAL-IP",
ASL.remote_host_ip_text
AS "REMOTE-IP",
ASL.app_name
AS "APPLICATION",
ASL.location_name
AS "LOCATION",
( ASL.intrusion_url + ' _Payload URL/'
+ ASL.intrusion_payload_url )
AS "INTRUSION URL",
NULL
AS "LOCAL-PORT",
NULL
AS "REMOTE-PORT"
FROM dbo.v_agent_security_log ASL
JOIN dbo.v_groups G
ON ASL.group_id = G.id
JOIN dbo.v_servers S
ON ASL.server_id = S.id
WHERE G.name LIKE @Groupname
AND ASL.host_name LIKE @Hostname
UNION ALL
SELECT Dateadd(hour, +2, Dateadd(second, ABL.event_time / 1000,
'1970/01/01 00:00')) AS
"EVENT-TIME",
ABL.host_name
AS "COMPUTER",
S.name
AS "SEPM",
G.name
AS "GROUP",
CASE
WHEN ABL.vapi_name IS NULL THEN 'Tamper Protection'
ELSE ABL.vapi_name
END
AS "EVENT-SOURCE",
ABL.description
AS "DESCRIPTION",
ABL.rule_name
AS "RULENAME",
'N/A'
AS "LOCAL-IP",
'N/A'
AS "REMOTE-IP",
ABL.caller_process_name
AS "APPLICATION",
'N/A'
AS "LOCATION",
'N/A'
AS "INTRUSION URL",
NULL
AS "LOCAL-PORT",
NULL
AS "REMOTE-PORT"
FROM dbo.v_agent_behavior_log ABL
JOIN dbo.v_groups G
ON ABL.group_id = G.id
JOIN dbo.v_servers S
ON ABL.server_id = S.id
WHERE G.name LIKE @Groupname
AND ABL.host_name LIKE @Hostname
UNION ALL
SELECT Dateadd(hour, +2, Dateadd(second, ATL.event_time / 1000,
'1970/01/01 00:00')) AS
"EVENT-TIME",
ATL.host_name
AS "COMPUTER",
S.name
AS "SEPM",
G.name
AS "GROUP",
'N/A'
AS "EVENT-SOURCE",
( 'Action: ' + CASE WHEN ATL.blocked = 1 THEN 'BLOCKED' WHEN ATL.blocked
= 0
THEN
'ALLOWED' END + ' - Protcol: ' + CASE WHEN ATL.network_protocol = 1
THEN
'IP, Ethernet' WHEN ATL.network_protocol = 2 THEN 'TCP' WHEN
ATL.network_protocol = 3 THEN 'UDP' WHEN ATL.network_protocol = 4 THEN
'ICMP'
END
+ ' - Direction: ' + CASE WHEN ATL.traffic_direction = 1 THEN 'IN' WHEN
ATL.traffic_direction = 2 THEN 'OUT' WHEN ATL.traffic_direction = 0
THEN
'Unknown' END )
AS "DESCRIPTION",
ATL.rule_name
AS "RULENAME",
ATL.local_host_ip_text
AS "LOCAL-IP",
ATL.remote_host_ip_text
AS "REMOTE-IP",
ATL.app_name
AS "APPLICATION",
ATL.location_name
AS "LOCATION",
'N/A'
AS "INTRUSION URL",
ATL.local_port
AS "LOCAL-PORT",
ATL.remote_port
AS "REMOTE-PORT"
FROM dbo.v_agent_traffic_log ATL
JOIN dbo.v_groups G
ON ATL.group_id = G.id
JOIN dbo.v_servers S
ON ATL.server_id = S.id
WHERE G.name LIKE @Groupname
AND ATL.host_name LIKE @Hostname
ORDER BY "event-time" DESC,
"computer";