IBM Guardium Appliance¶
About¶
IBM Security Guardium Data Protection supports a zero trust approach to security. It discovers and classifies sensitive data from across the enterprise, providing real-time data activity monitoring and user behavior analytics to help discover unusual activity around sensitive data.
Product Details¶
Vendor URL: IBM Guardium
Product Type: DLP
Product Tier: Tier II
Integration Method: Custom
Log Guide: IBM Guardium - Cyderes Documentation
Parser Details¶
Log Format: JSON CEF
Expected Normalization Rate: 95-100%
Data Label: GUARDIUM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| description | metadata.description |
| start | additional.fields |
| act | additional.fields |
| vendor | metadata.vendor_name |
| product | metadata.product_name |
| version | metadata.product_version |
| product_event | metadata.product_event_type |
| GENERIC_EVENT | metadata.event_type |
| USER_LOGIN | metadata.event_type |
| AUTHTYPE_UNSPECIFIED | extensions.auth.type |
| ALLOW,BLOCK | security_result.action |
| cs1 | security_result.severity |
| cs1 | additional.fields |
| cs2 | additional.fields |
| cs3 | additional.fields |
| cs4 | additional.fields |
| category | security_result.category_detail |
| suser | principal.user.userid |
| sproc | principal.process.file.full_path |
| externalId | additional.fields |
| duser | target.user.userid |
| dst | target.hostname |
| dst | target.ip |
| dpt | target.port |
| src | principal.hostname |
| src | principal.ip |
| spt | principal.port |
| TCP,UDP | network.ip_protocol |
| dsthost | target.hostname |
| observer | observer.hostname |
| observer | observer.ip |
Product Event Types¶
| Event Type |
|---|
| All events |
Log Sample¶
<25>Oct 21 14:05:13 hostname2 GuardiumSniffer[12163]: subject "SQLGUARD ALERT", "CEF:0|IBM|Guardium|11.0|20050|Failed Login - Log Violation|5|rt=1634839512966 cs1=LOW cs1Label=Severity cs2=ORACLE cs2Label=Server Type cs3=Login cs3Label=Classification cat=Data Privacy app=TNS cs4=3.15 cs4Label=DB Protocol Version suser= sproc=JDBC THIN CLIENT act=LOGIN_FAILED start=1634839512966 externalId=619155 duser=john.doe dst=10.10.10.109 dpt=61290 src=10.10.10.108 spt=29984 proto=TCP cs1= dstHost=hostname1"
Sample Parsing¶
metadata.event_timestamp = "2021-10-21T14:05:13Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "IBM"
metadata.product_name = "Guardium"
metadata.product_version = "11.0"
metadata.product_event_type = "SQLGUARD ALERT"
metadata.description = "Failed Login - Log Violation"
metadata.ingested_timestamp = "2021-10-21T18:05:21.739622Z"
additional.act = "LOGIN_FAILED"
additional.start = "1634839512966"
additional.DB Protocol Version = "3.15"
additional.Server Type = "ORACLE"
additional.external_id = "619155"
principal.process.file.full_path = "JDBC THIN CLIENT"
principal.ip = "10.10.10.108"
principal.port = 29984
principal.application = "TNS"
principal.namespace = domain.com
principal.asset.ip = "10.10.10.108"
target.hostname = "hostname1"
target.user.userid = "John.Doe"
target.ip = "10.10.10.109"
target.port = 61290
target.namespace = "domain1"
target.asset.ip = "10.10.10.109"
observer.hostname = "hostname2"
observer.namespace = "domain2"
security_result.category_details = "Data Privacy"
security_result.action = "BLOCK"
security_result.severity = "LOW"
network.ip_protocol = "TCP"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon