IBM Support

How do I configure to see the object in the SIEM?

Question & Answer


Question

I'm sending alerts from Guardium appliance to the SIEM. I'm interested in seeing the object in the SIEM. For example I want to see the object creditno table. I can see the tablenames in the SQL itself of course but I want to see object as in Guardium appliance also.

Answer

The guardium as of yet don't send object to SIEM (Security Information and Event Management).
Please see this article
https://www.ibm.com/support/knowledgecenter/SSMPHH_9.1.0/com.ibm.guardium91.doc/appendices/topics/cef_mapping.html

OK the object will be shown in the SQL or FULL SQL that is sent over, but it's not very clear in the SIEM, so as a work around you can name the alerting policy rule in Guardium in a way that explain what object or objects the alert is for.

For example if you made an alert when a DBA (Database Administrator) did a Select on a table called creditNo then you could name the alert rule, the policy rule, to DBALookedAt_Object_creditNo.

If there are many objects in a list/group in the alerting rule then you could name the rule DBALookedAt_Objects_CreditNoInformation. For example CreditNoInformation is a group of object with members like creditNo, AccountInfo, creditCheck etc. That same group name could be used in the alerting rule to make it exactly clear what objects that are covered with the name.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Database Activity Monitor","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"10.0;10.0.1;10.1;8.2;9.0;9.1;9.5","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21993415

Page Feedback