Skip to content

Vanguard

Vanguard

About

Founded in 1986 to help customers safeguard mission critical applications and data, Vanguard Integrity Professionals is the largest independent provider of enterprise security software for addressing complex security and regulatory compliance challenges.

Vanguard continuously drives innovation in security software and technology to stay ahead of evolving regulatory requirements and an ever-changing threatscape. Led by some of the most knowledgeable minds in the cybersecurity industry our security solutions lead the industry.

Product Details

Vendor URL: Vanguard Integrity Professionals | z/OS Mainframe Software

Product Type: SIEM

Product Tier: Tier I

Integration Method: Syslog

Integration URL: Vanguard Alert Connector for z/OS, RACF, ACF2, and TSS

Log Guide: RACF Logging and Reporting - Vanguard Integrity Professionals

Parser Details

Log Format: CEF

Expected Normalization Rate: 75%

Data Label: VANGUARD_ACTIVE_ALERTS

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
vendor metadata.vendor_name
product metadata.product_name
version metadata.product_version
GENERIC_EVENT, FILE_UNCATEGORIZED, FILE_READ, USER_LOGIN metadata.event_type
category metadata.product_event_type
Action additional.fields
cs1 additional.fields
cs2 additional.fields
deviceExternalId additional.fields
deviceFacility additional.fields
deviceProcessName additional.fields
deviceTranslatedAddress principal.ip
EVNTCLASSNAME additional.fields
EVNTGROUP principal.user.groupid
EVNTLEVEL additional.fields
EVNTLOGREASON additional.fields
EVNTMISCDATA additional.fields
EVNTPROFNAME additional.fields
EVNTPROFOWN additional.fields
EVNTSPLXID additional.fields
EVNTSPLXNAME additional.fields
EVNTSUBUID additional.fields
EVNTTEXT additional.fields
filePermission additional.fields
fileType additional.fields
msg additional.fields
reason additional.fields
spriv additional.fields
sproc additional.fields
sourceServiceName principal.process.pid
suid principal.user.userid
suser principal.user.user_display_name
EVNTRESOURCE observer.hostname
EVNTRESOURCE observer.ip
NULL target.file.full_path
AUTHTYPE_UNSPECIFIED extensions.auth.type
NULL target.hostname
product_event security_result.category_details

Product Event Types

type,subtype UDM Event Classification
Default GENERIC_EVENT
RESOURCE ACCESS FILE_UNCATEGORIZED
Read FILE_READ
LOGON USER_LOGIN

Log Sample

CEF:0|VANGUARD|SIEM FOR VANGUARD_ACTIVE_ALERTS|redacted|BT68|VANGUARD SECURITY EVENT|1|act=NO ACTION cat=RESOURCE ACCESS cs1=BOD8 cs1Label=EVNTSMFID deviceExternalId=VANGUARD_ACTIVE_ALERTS deviceFacility=SECURITY deviceProcessName=SAMPLE S4847298 deviceTranslatedAddress=10.11.11.193 externalID=Access filePermission=Alter cs2=Read cs2Label=EVNTACCREQ FILE ACCESS REQUESTED fileType=DATA SET OR RESOURCE reason=ALERT CRITERIA MET rt=Dec  7 2021 07:37:14  sourceServiceName=REDACTED spriv=Normal sproc=REDACTED start=Dec  7 2021 07:36:55  suid=user suser=DOC USER ID msg=APPLSIEMVRM=V43D54D5 APPLSYSNAME=BOD8     APPLCALLPGMEP=0006F000 APPLCALLPGMRA=000731E4 EVNTSPLXNAME=SP01 EVNTSPLXID=P0 EVNTSUBUID=FB8 EVNTTEXT=Successful access EVNTGROUP=DOCUSERS EVNTPROFNAME=USERNAME EVNTPROFOWN=USERNAME EVNTCLASSNAME=DATASET EVNTLOGREASON=RAD EVNTLEVEL=20 EVNTMISCDATA=BT68 EVNTRESOURCE=VANGUARD_SERVER

Sample Parsing

metadata.event_timestamp = "2021-12-07T07:37:14Z"
metadata.event_type = "FILE_UNCATEGORIZED"
metadata.vendor_name = "VANGUARD"
metadata.product_name = "SIEM FOR VANGUARD_ACTIVE_ALERTS"
metadata.product_version = "redacted"
metadata.product_event_type = "RESOURCE ACCESS"
metadata.ingested_timestamp = "2021-12-07T13:37:24.027150Z"
additional.sproc = "REDACTED"
additional.EVNTSPLXNAME = "SP01"
additional.device_facility = "SECURITY"
additional.msg = "APPLSIEMVRM=V43D54D5"
additional.EVNTCLASSNAME = "DATASET"
additional.spriv = "Normal"
additional.reason = "ALERT CRITERIA MET"
additional.EVNTTEXT = "Successful access"
additional.EVNTACCREQ FILE ACCESS REQUESTED = "Read"
additional.device_external_id = "VANGUARD_ACTIVE_ALERTS"
additional.EVNTSPLXID = "P0"
additional.EVNTLEVEL = "20"
additional.Action = "NO ACTION"
additional.file_permission = "Alter"
additional.EVNTMISCDATA = "BT68"
additional.EVNTSUBUID = "FB8"
additional.EVNTSMFID = "BOD8"
additional.EVNTPROFOWN = "USERNAME"
additional.device_process_name = "SAMPLE S4847298"
additional.EVNTPROFNAME = "USERNAME"
additional.EVNTLOGREASON = "RAD"
additional.file_type = "DATA SET OR RESOURCE"
principal.user.userid = "user"
principal.user.groupid = "DOCUSERS"
principal.user.user_display_name = "DOC USER ID"
principal.process.pid = "REDACTED"
principal.ip = "10.11.11.193"
principal.namespace = "COMPANYNAME"
principal.asset.ip = "10.11.11.193"
target.file.full_path = "NULL"
target.namespace = "COMPANYNAME"
observer.hostname = "VANGUARD_SERVER"
observer.namespace = "COMPANYNAME"
security_result.category_details = "VANGUARD SECURITY EVENT"
security_result.severity = "LOW"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon