QRadar: How to configure non-default events for the IBM Guardium DSM

Question & Answer

Question

Can Guardium send events that are not included in the Guardium DSM to IBM QRadar?

Answer

Guardium requires a defined policy to alert on data that needs to be forwarded to QRadar. The rule action would be 'Alert Only'. With Alert, you can create a LEEF template so they can be sent to QRadar to be parsed. For example, a user may want to alert on any Microsoft Data Definition Language Statements that are run. The user would configure Guardium with an 'Alert Only' rule action with Syslog as the receiver. Guardium would then forward the data to QRadar.

Since these events will not be understood by the default Guardium DSM a Log Source extension will need to be created to assist with parsing the events.

Where do you find more information?

Related Information

Creating a log source extensions document

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Events","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: How to configure non-default events for the IBM Guardium DSM

Question & Answer

Question

Answer

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?