IBM Guardium Appliance¶
About¶
IBM Security Guardium Data Protection supports a zero trust approach to security. It discovers and classifies sensitive data from across the enterprise, providing real-time data activity monitoring and user behavior analytics to help discover unusual activity around sensitive data.
Product Details¶
Vendor URL: IBM Guardium
Product Type: DLP
Product Tier: Tier II
Integration Method: Custom
Log Guide: IBM Guardium - Cyderes Documentation
Parser Details¶
Log Format: JSON CEF
Expected Normalization Rate: 95-100%
Data Label: GUARDIUM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| ALLOW,BLOCK | security_result.action |
| AUTHTYPE_UNSPECIFIED | extensions.auth.type |
| DATABASE | target.resource.resource_type |
| GENERIC_EVENT | metadata.event_type |
| INBOUND,OUTBOUND | network.direction |
| MACHINE | extensions.auth.type |
| SERVICE_ACCOUNT_TYPE | principal.user.account_type |
| SETTING | target.resource.resource_type |
| SSH | network.application_protocol |
| TCP,UDP | network.ip_protocol |
| USER_LOGIN | metadata.event_type |
| action | security_result.action_details |
| act | additional.fields |
| app_protocol_output | network.application_protocol |
| appcategory | security_result.summary |
| application_user_name | principal.user.user_display_name |
| category | security_result.category_detail |
| cat | security_result.category_details |
| cfp1 | additional.fields |
| cfp2 | additional.fields |
| cfp3 | additional.fields |
| cfp4 | additional.fields |
| checked_permissions | security_result.rule_name |
| client_hostname | principal.hostname |
| client_ip | principal.ip |
| client_port | principal.port |
| cn1 | additional.fields |
| cn2 | additional.fields |
| cn3 | additional.fields |
| componentId | principal.resource.name |
| cs1 | additional.fields |
| cs1 | security_result.severity |
| cs2 | additional.fields |
| cs3 | additional.fields |
| cs4 | additional.fields |
| cs5 | additional.fields |
| cs6 | additional.fields |
| cs7 | additional.fields |
| database_name | target.resource.name |
| db_name | target.resource.name |
| db_protocol_version | additional.fields |
| db_protocol | additional.fields |
| db_username | principal.user.userid |
| db_username | target.user.userid |
| db_user | target.user.user_display_name |
| description | metadata.description |
| destinationServiceName | target.application |
| destinationTranslatedAddress | target.nat_ip |
| destinationTranslatedPort | target.nat_port |
| devicePayloadId | additional.fields |
| device_product | metadata.product_name |
| device_vendor | metadata.vendor_name |
| device_version | metadata.product_version |
| dhost | target.hostname |
| dmac | target.mac |
| dntdom | target.administrative_domain |
| dpid | target.process.pid |
| dport | target.port |
| dproc | target.process.command_line |
| dpt | target.port |
| dst_ip | target.ip |
| dsthost | target.hostname |
| dst | target.hostname |
| dst | target.ip |
| duid | target.user.userid |
| duser | target.user.user_display_name |
| duser | target.user.userid |
| eventId | additional.fields |
| event_type | metadata.product_event_type |
| event | metadata.product_event_type |
| event | src.hostname |
| externalId | additional.fields |
| fname | additional.fields |
| full_sql_id | target.process.pid |
| full_sql | target.process.command_line |
| host_key | additional.fields |
| in | network.received_bytes |
| ip_protocol_out | network.ip_protocol |
| message | security_result.summary |
| msg | metadata.description |
| mwProfile | security_result.rule_name |
| name | principal.resource.name |
| observer | observer.hostname |
| observer | observer.ip |
| observer | principal.hostname |
| oldFilePath | src.file.full_path |
| oldFileSize | src.file.size |
| old_permissions | src.resource.attribute.permissions |
| os_user | principal.user.user_display_name |
| os_user | principal.user.userid |
| os_user | src.user.userid |
| outcome | security_result.description |
| out | network.received_bytes |
| pid | principal.process.pid |
| principal_host | principal.hostname |
| principal_ip | principal.ip |
| principal_role | principal.user.attribute.roles |
| process | metadata.product_event_type |
| product_event | metadata.product_event_type |
| product | metadata.product_name |
| requestClientApplication | network.http.user_agent |
| requestMethod | network.http.method |
| request_type | security_result.rule_name |
| request | target.url |
| resource | principal.resource.id |
| roleName | principal.user.role_name |
| roles | target.user.attribute.roles |
| rule_description | security_result.rule_name |
| rule_number | security_result.rule_id |
| sender_ip | intermediary.ip |
| server_hostname | target.hostname |
| server_ip | target.ip |
| server_port | target.port |
| server_type | additional.fields |
| server_type | target.resource.resource_subtype |
| service_name | target.application |
| session_end | target.resource.attribute.last_update_time |
| session_id | network.session_id |
| session_start | target.resource.attribute.creation_time |
| severity | security_result.severity |
| shost | principal.hostname |
| smac | principal.mac |
| smb_host | additional.fields |
| smb_stage1 | additional.fields |
| smb_uid | additional.fields |
| sntdom | principal.administrative_domain |
| sourceServiceName | principal.application |
| sourceTranslatedAddress | principal.nat_ip |
| sourceTranslatedPort | principal.nat_port |
| source_program | principal.application |
| source | src.hostname |
| spid | principal.process.pid |
| sproc | principal.process.file.full_path |
| spt | principal.port |
| sql | principal.process.command_line |
| src | principal.hostname |
| src | principal.ip |
| start | additional.fields |
| subject | security_result.summary |
| summary | security_result.summary |
| suser | principal.user.userid |
| target_role | target.user.attribute.roles |
| target_user | target.user.userid |
| type | metadata.product_event_type |
| users | principal.user.user_display_name |
| user | principal.user.userid |
| uuid | principal.resource.product_object_id |
| vendor | metadata.vendor_name |
| version | metadata.product_version |
Product Event Types¶
| Event Type |
|---|
| GENERIC_EVENT |
| NETWORK_CONNECTION |
| NETWORK_UNCATEGORIZED |
| PROCESS_LAUNCH |
| RESOURCE_CREATION |
| RESOURCE_DELETION |
| RESOURCE_READ |
| RESOURCE_WRITTEN |
| SETTING_MODIFICATION |
| STATUS_UPDATE |
| USER_CHANGE_PASSWORD |
| USER_CHANGE_PERMISSIONS |
| USER_LOGIN |
| USER_RESOURCE_ACCESS |
Log Sample¶
<25>Oct 21 14:05:13 hostname2 GuardiumSniffer[12163]: subject "SQLGUARD ALERT", "CEF:0|IBM|Guardium|11.0|20050|Failed Login - Log Violation|5|rt=1634839512966 cs1=LOW cs1Label=Severity cs2=ORACLE cs2Label=Server Type cs3=Login cs3Label=Classification cat=Data Privacy app=TNS cs4=3.15 cs4Label=DB Protocol Version suser= sproc=JDBC THIN CLIENT act=LOGIN_FAILED start=1634839512966 externalId=619155 duser=john.doe dst=10.10.10.109 dpt=61290 src=10.10.10.108 spt=29984 proto=TCP cs1= dstHost=hostname1"
<30>Sep 2 08:35:05 hostname3 guard_sender[3194]: LEEF:1.0|IBM|Guardium|9.0|Privileged Users - Log Full Details|ruleID=11111|ruleDesc=Privileged Users - Log Full Details|severity=INFO|devTime=2022-09-02 08:34:22.976000|serverType=ORACLE|classification=Priv. Users|category=Security|dbProtocolVersion=3.14|usrName=|sourceProgram=C:\HOSTNAME\BIN\PROWIN32.EXE|start=1662125662976|dbUser=SYSTEM|dst=10.10.10.10|dstPort=1522|src=10.10.10.11|srcPort=53278|protocol=TCP|type=SQL_LANG|violationID=676559009840268008|sql='redacted'|error=
Sample Parsing¶
metadata.event_timestamp = "2021-10-21T14:05:13Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "IBM"
metadata.product_name = "Guardium"
metadata.product_version = "11.0"
metadata.product_event_type = "SQLGUARD ALERT"
metadata.description = "Failed Login - Log Violation"
metadata.ingested_timestamp = "2021-10-21T18:05:21.739622Z"
additional.act = "LOGIN_FAILED"
additional.start = "1634839512966"
additional.DB Protocol Version = "3.15"
additional.Server Type = "ORACLE"
additional.external_id = "619155"
principal.process.file.full_path = "JDBC THIN CLIENT"
principal.ip = "10.10.10.108"
principal.port = 29984
principal.application = "TNS"
principal.namespace = domain.com
principal.asset.ip = "10.10.10.108"
target.hostname = "hostname1"
target.user.userid = "John.Doe"
target.ip = "10.10.10.109"
target.port = 61290
target.namespace = "domain1"
target.asset.ip = "10.10.10.109"
observer.hostname = "hostname2"
observer.namespace = "domain2"
security_result.category_details = "Data Privacy"
security_result.action = "BLOCK"
security_result.severity = "LOW"
network.ip_protocol = "TCP"
Parser Alerting¶
This product currently does not have any Parser-based Alerting