Global Profile
The Global Profile panel defines defaults that apply to all users.
Override the Default Aliases Setting
By default, for any new report, or for any report that is contained in a default layout, aliases are not used.
An alias provides a synonym that substitutes for a stored value of a specific attribute type. It is commonly used to display a meaningful or user-friendly name for a data value. For example, Financial Server might be defined as an alias for IP address 192.168.2.18.
If you want to see aliases by default, you can change the default aliases setting for all reports, as follows:
- Click Global Profile. to open the
- Mark the Use Aliases in Reports unless otherwise specified check box.
- Click Apply.
Customize the PDF Page Footer
PDF files created by various Guardium® components (audit tasks, for example) have a standard page footer. To customize that footer:
- Click Global Profile. to open the
- In the PDF Footer Text field, enter the text to be printed at
the foot of each page. Note: PDF footer text is not distributed from the Central Manager/ Aggregator to the Managed Units.
- Click Apply.
Edit the Alert Message Template
To customize the message template used to generate alerts:
- Click Global Profile. to open the
- In the Message Template text box, edit the alert template text.
You can mark the no wrap check box to see where the line breaks appear in the message.
- Click Apply when you are done.
- Changes will not take effect until the inspection engines are restarted. To do that now, click Inspection Engines. Click Restart Inspection Engines. to open the
Variable | Description |
---|---|
%%addBaselineConstruct |
To add to baseline Attention: The Baseline
Builder and related functionality is deprecated starting with Guardium V10.1.4.
|
%%AppUserName |
Application user name |
%%AuthorizationCode |
Authorization code |
%%category |
Category from the rule definition |
%%classification |
Classification from the rule definition |
%%clientHostname |
Client host name |
%%clientIP |
Client IP address |
%%clientPort |
Client port number |
%%DBName |
Database name |
%%DBProtocol |
Database protocol |
%%DBProtocolVersion |
Database protocol version |
%%DBUser |
Database user name |
%%lastError |
Last error description; available only when a SQL error request triggering an exception rule contains a last error description field |
%%netProtocol |
Network protocol, for K-TAP on Oracle, this may display as either IPC or BEQ |
%%OSUser |
Session information. (OS_USER in GDM_ACCESS) |
%%receiptTime |
Timestamp representing the time when the alert occurred |
%%receiptTimeMills |
Numeric representing the time when the alert occurred, in milliseconds since the fixed date of Jan 1 1900 |
%%requestType |
Request type |
%%ruleDescription |
The rule description from the policy rule definition |
%%ruleID |
The rule number from the rule definition |
%%serverHostname |
Server hostname |
%%serverIP |
Server IP address |
%%serverPort |
Server port number |
%%serverType |
The database server type |
%%serviceName |
Service name |
%%sessionStart |
Session start time (login time) |
%%sessionStartMills |
Numeric representing the start of the session where the alert occurred, in milliseconds since the fixed date of Jan 1 1900 |
%%severity |
Severity from the rule definition |
%%SourceProgram |
Source program name |
%%SQLNoValue |
SQL string with masked values. The value of SQL will be replaced by ? in the syslog. |
%%SQLString |
SQL string (if any) |
%%SQLTimestamp |
The time on the packet/request (TIMESTAMP in GDM_CONSTRUCT_TEXT) |
%%Subject[ ] |
If this variable is used in the message template, all that appears between [ ] (for example, file name, email sender, description) will be the subject line of the email sent to user. |
%%violationID |
Numeric representing the POLICY_VIOLATION_LOG_ID of this alert in GDM_POLICY_VIOLATION_LOG (this is the same as the Violation Log ID in the Policy Violations / Incident Management report) |
Named Template
Message templates are used to generate alerts.
The feature defines multiple message templates and facilitates the use of different templates on different rules. In the past, only a single message template was available for all rules, all receiver types, etc.
To add, modify and delete named message templates, click Edit. When creating a new named template, the starting value of the string is a copy of whatever is currently in the Message template of the Global Profile. "R/T Alert" is the only level of severity permitted.
Predefined message templates have been created for the SIEM solutions, ArcSight, EnVision, and QRadar. The Guardium system comes preloaded with two certified (agreed upon) templates to integrate with these two SIEM solutions.
The Named Template builder can select from two template types - Real-time Alerts and Audit Process Report.
Use the Audit Process Report to audit process tasks.
Click Edit Named Templates. Choose an SIEM and then click Modify. Select Real-time Alerts or Audit Process Report.
After editing, the multiple message templates can be selected from within the Policy Builder menu. See Policies.
Adding the QRadar template allows sending real-time alerts or Audit Process Report to QRadar using the LEEF Format (this is QRadar's format).
Follow the steps to send real-time alerts or Audit Process Results to the QRadar SIEM.
- Real-time alert, Guardium to QRadar
- Create an real-time alert.
- Write to syslog
- Select Template type (Read-time Alert)
- Forward to Q1 Labs QRadar SIEM (via LEEF mapping/ predefined message template) - choose QRadar Named Template from Global Profile
- From the CLI, run the CLI command "store remotelog" to forward the syslog messages to QRadar.
- Audit Process Report, Guardium to QRadar
Click Audit Process Builder.
to open the- Create an Audit Process report (Audit Process Builder)
- Write to syslog
- Select Template type (Audit Process Report)
- Forward to Q1 Labs QRadar SIEM (via LEEF mapping/ predefined message template) – choose QRadar Named Template from Global Profile
- From the CLI, run the CLI command "store remotelog" to forward the syslog messages to QRadar.
For example, here is the default LEEF template for the Databases Discovered report:LEEF:0|IBM|Guardium|9.0|Databases Discovered|Time Probed=${1}|Server IP=${2}|Server Host Name=${3}|DB Type=${4}|Port=${5}|Port Type=${6}
Here are the report columns that are mapped to the template:Time Probed Server IP Server Host Name DB Type Port Port Type
- Check Export to CSV file and Write to Syslog.
- Select the Named Template, LEEF Discovered Databases
- Configure Remote Syslog by using the store remotelog command.
For example:
store remotelog add user.info 9.70.145.68 udp
This will now push all records from the audit process to the supplied IP address.
- Sender Encoding
To encode outgoing messages (email and SNMP traps) in an encoding scheme other than UTF8, use the CLI command, store sender_encoding.
- Filter templates of one type
- There is a filter mechanism to select all Real Time Alerts or Audit Process Report. Check or clear each selection.
- Envision 2 message template
- GUARDIUM_ALERT:
- rule-id=%%ruleID^^category=%%category^^classification=%%classification^^severity=%%severity^^session-start-time=%%sessionStart^^client-hostname=%%clientHostname^^client-ip=%%clientIP^^server-type=%%serverType^^server-ip=%%serverIP^^src-program=%%SourceProgram^^os-user=%%OSUser^^db-user=%%DBUser^^app-user=%%AppUserName^^service-name=%%serviceName^^req-type=%%requestType^^rule-desc=%%ruleDescription^^sql=%%SQLNoValue
- Threshold Default Template
As in real-time alerts, you can choose a template for the message that is sent when the threshold is reached. The template uses a predefined list of variables that are replaced with the appropriate value for the specific alert.
Those variables are:
%%alertName - alert name
%%description - alert description
%%alertQueryValue - query value that caused the alert
%%alertThreshold - alert threshold
%%alertQueryFromDate - start of the query period
%%alertQueryToDate - end of the query period
%%alertBaseQueryValue - base query value of the alert
%%classification - alert classification
%%category - alert category
%%severity - alert severity
%%recommendation - recommended action for the alert
%%Subject[] - subject of the message
The default template for threshold alerts is as follows (can be cloned and edited):
%%Subject[Guardium Alert. Severity: (%%severity), Alert Name: %%alertName]
Alert Name: %%alertName. Alert Description: %%description.
Current value: %%alertQueryValue
Base query value: %%alertBaseQueryValue
Threshold: %%alertThreshold
Query period: %%alertQueryFromDate - %%alertQueryToDate
Alert Classification: %%classification
Category: %%category
Severity: %%severity
Recommended Action: %%recommendation
- Customize real-time alerts and email
- Control appearance of Prefix email subject with Guardium appliance name.
- Control appearance of email subject in email body.
- Add naming template parameter %%applianceHostName so Guardium users can add appliance hostname to Name Templates (any position subject or body).
- To accomplish this, use two fields in ADMINCONSOLE_PARAMETERS table:
- APPEND_APPLIANCENAME_SUBJECT
- APPEND_SUBJECT_IN_BODY
- Use the following CLI commands to control the content of these fields:
- show alerter email append_name_subject
- store alerter email append_name_subject
- show or store the flag to append the appliance name in email subject
- show alerter email append_subject_body
- store alerter email append_subject_body show or store the flag to append email subject in the beginning of the email body
- Each time the value in CLI changes, it takes effect immediately on the outgoing emails.
CSV Separator
To define a separator to be used in the audit process:
- Click Global Profile. to open the
- Choose Comma, Semicolon, Tab, or define your own in Other box to define the CSV Separator that is used.
- Click Apply.
Add other HTML content to the Guardium Window
To add other HTML content to the Guardium window:
- Click Global Profile. to open the
- In the HTML - Left and HTML - Right text boxes, enter the HTML for the text or any other items you want to include on the window.
- Optionally click the preview button to verify that your HTML is displayed as you expect.
- Click Apply.
Add or Disable a Login Message
To add a message to display in a message box, each time a user logs in:
- Click Global Profile. to open the
- In the Login Message text box, enter the text that you want to display when each user logs in.
- Mark the show login message box to enable the display of the login message (or clear the box to disable the display).
- Click Apply.
Enable or Disable Concurrent Same-user Logins
By default, the same Guardium user can log in to an appliance from multiple IP addresses. You can disable concurrent logins from the same user. When disabled, each Guardium user will be allowed to log in from only one IP address at a time. If a user closes their browser without logging out, the connection will time out due to inactivity, so the user account will not be blocked for long.
To change this setting:
- Click Global Profile. to open the
- Locate the field Concurrent login from different IP.
- Click Enable or Disable,
depending on the current status, to change the setting. Note: When the feature is disabled, an Unlock button appears next to the Enable button. You can click Unlock to allow a second user to log in with this user account, from a different IP address. This is provided for support purposes.
Enable Data Level Security at the Observed Data Level
This feature assumes that specific Guardium users are responsible for certain specific databases. Therefore a mechanism exists that will filter results, system-wide, in a way that each user will only be able to see the information from those databases that the user is responsible for.
To change this setting:
- Click Global Profile. to open the
- Click the Enable or Disable button for the Data
level security filtering option Note: The datasec-exempt role is activated when data level security is enabled and the datasec-exempt role has been assigned to a user.
- Additional choices include:
- Show-all - Permits the logged-in viewer to see all the rows in the result regardless of who these rows belong to. When used with the Datasec-exempt role permits an override of the data level security filtering.
- Include indirect records - Permits the logged-in viewer to see the rows that belong to the logged-in user, but also all rows that belong to users under the logged-in user in the user hierarchy.
Default Filtering
Online viewer default setting and for audit process results distribution.
Show-all. The default setting is disabled.
Escalate result to all users
Escalate result to all users - A check mark in this check box escalates audit process results (and PDF versions) to all users, even if data level security at the observed data level is enabled. The default setting is enabled. If the check box is disabled (no check mark in the check box), then audit process escalation is allowed only to users at a higher level in the user hierarchy and to users with the datasec-exempt role. If the check box is disabled, and there is no user hierarchy, then no escalation is permitted.
Custom database table maximum size
Set the size of the custom database table (in MB). The Default value is 4000 MB.
At this point in the Global Profile menu is a button to see Current usage. Click on the Current Usage button to show values for INNODB, MYISAM and Total.
SCP and FTP files via different ports
Change the ports that can be used to send files over SCP and FTP.
Add a logo to the Guardium Window
To add a company logo graphic to the Guardium window, or to add other HTML content to the Guardium window:
- Click Global Profile. to open the
- In Upload Logo Image, if you want to include a logo image in the portal window, enter an image file name or click Browse to select a file to upload to the Guardium appliance, and then click Upload.
- Refresh your browser window. The new logo appears.
Encrypt Must Gather
Encrypt Must Gather was added to the Global Profile. Default value is cleared (Do not encrypt). If it is cleared, must gather output is just compressed and not encrypted. When the check box is checked, all future must gather output will be encrypted. Encryption can be also set on by using the store encrypt_must_gather on CLI command and set off by using store encrypt_must_gather off.
Check for Guardium updates
Adding a checkmark will display relevant ad-hoc Guardium patches, GPUs/CFPs/Bundles, Sniffer patches and security patches that are available for the customer to download. Once the patch has been installed, it will disappear from the list.
Datasource connection timeout
Set the Datasource connection timeout in seconds. The default is 60 seconds.
The corresponding GrdAPI command to update this value is: grdapi update_datasource_connection_timeout timeoutInSecond=80