Skip to content

IBM Guardium Appliance

IBM Guardium

About

IBM Security Guardium Data Protection supports a zero trust approach to security. It discovers and classifies sensitive data from across the enterprise, providing real-time data activity monitoring and user behavior analytics to help discover unusual activity around sensitive data.

Product Details

Vendor URL: IBM Guardium

Product Type: DLP

Product Tier: Tier II

Integration Method: Custom

Log Guide: IBM Guardium - Cyderes Documentation

Parser Details

Log Format: JSON CEF

Expected Normalization Rate: 95-100%

Data Label: GUARDIUM

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
description metadata.description
start additional.fields
act additional.fields
vendor metadata.vendor_name
product metadata.product_name
version metadata.product_version
product_event metadata.product_event_type
GENERIC_EVENT metadata.event_type
USER_LOGIN metadata.event_type
AUTHTYPE_UNSPECIFIED extensions.auth.type
ALLOW,BLOCK security_result.action
cs1 security_result.severity
cs1 additional.fields
cs2 additional.fields
cs3 additional.fields
cs4 additional.fields
category security_result.category_detail
suser principal.user.userid
sproc principal.process.file.full_path
externalId additional.fields
duser target.user.userid
dst target.hostname
dst target.ip
dpt target.port
src principal.hostname
src principal.ip
spt principal.port
TCP,UDP network.ip_protocol
dsthost target.hostname
observer observer.hostname
observer observer.ip

Product Event Types

Event Type
All events

Log Sample

<25>Oct 21 14:05:13 hostname2 GuardiumSniffer[12163]:  subject "SQLGUARD ALERT", "CEF:0|IBM|Guardium|11.0|20050|Failed Login - Log Violation|5|rt=1634839512966 cs1=LOW cs1Label=Severity cs2=ORACLE cs2Label=Server Type cs3=Login cs3Label=Classification cat=Data Privacy app=TNS cs4=3.15 cs4Label=DB Protocol Version suser= sproc=JDBC THIN CLIENT act=LOGIN_FAILED start=1634839512966 externalId=619155 duser=john.doe dst=10.10.10.109 dpt=61290 src=10.10.10.108 spt=29984 proto=TCP cs1= dstHost=hostname1"

Sample Parsing

metadata.event_timestamp = "2021-10-21T14:05:13Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "IBM"
metadata.product_name = "Guardium"
metadata.product_version = "11.0"
metadata.product_event_type = "SQLGUARD ALERT"
metadata.description = "Failed Login - Log Violation"
metadata.ingested_timestamp = "2021-10-21T18:05:21.739622Z"
additional.act = "LOGIN_FAILED"
additional.start = "1634839512966"
additional.DB Protocol Version = "3.15"
additional.Server Type = "ORACLE"
additional.external_id = "619155"
principal.process.file.full_path = "JDBC THIN CLIENT"
principal.ip = "10.10.10.108"
principal.port = 29984
principal.application = "TNS"
principal.namespace = domain.com
principal.asset.ip = "10.10.10.108"
target.hostname = "hostname1"
target.user.userid = "John.Doe"
target.ip = "10.10.10.109"
target.port = 61290
target.namespace = "domain1"
target.asset.ip = "10.10.10.109"
observer.hostname = "hostname2"
observer.namespace = "domain2"
security_result.category_details = "Data Privacy"
security_result.action = "BLOCK"
security_result.severity = "LOW"
network.ip_protocol = "TCP"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon