IBM Security Guardium

 View Only
  • 1.  CEF Formt to Threshold Alerts

    IBM Champion
    Posted Sun March 29, 2020 05:15 AM
    Hi, 
    Does anyone know if it's possible to create Message Template in CEF Format for Threshold alerts? 

    Thanks, 
    Eden.

    ------------------------------
    Eden Amsalem
    ------------------------------


  • 2.  RE: CEF Formt to Threshold Alerts

    Posted Mon March 30, 2020 04:50 AM
    Hi Eden,

    It is possible to create a custom template via the global profile for CEF format

    Setup --> Tools and Views --> Global Profile

    Select Edit Named Template and choose the add button. Ensure you change the template type to THRESHOLD_ALERT

    Using this will help you map the CEF template to your requirements.
    https://www.ibm.com/support/knowledgecenter/SSMPHH_11.1.0/com.ibm.guardium.doc.admin/integrate/cef_mapping.html

    ------------------------------
    Aaron Kinchen
    ------------------------------



  • 3.  RE: CEF Formt to Threshold Alerts

    IBM Champion
    Posted Tue March 31, 2020 03:47 AM
    Hi Aaron,

    Thanks for your answer. 
    I know this page you sent but all the parameters on this page are for real-time alert (data access) and I want to build CEF message template that has self-monitoring parameters. for example, Failed Logins to Guardium alert.

    Thanks,
    Eden.

    ------------------------------
    Eden Amsalem
    ------------------------------



  • 4.  RE: CEF Formt to Threshold Alerts

    Posted Wed April 01, 2020 11:20 AM
    Hi Eden,

    Yes you can do that here.

    Attachment1
    Click the Add (plus symbol) button, and select THRESHOLD_ALERT. This will allow you to create a new one


    Attachment2
    On the edit message template screen, you can filter on threshold message templates


    Attachment3
    Once created you can add this to a pre existing self monitoring alert






    ------------------------------
    Aaron Kinchen
    ------------------------------



  • 5.  RE: CEF Formt to Threshold Alerts

    IBM Champion
    Posted Thu April 02, 2020 03:12 AM
    Hi Aaron, 
    This flow I know but the values unmatch to the CEF parameters. Also, I just found out that IBM wrote it's not possible to use it in the way I wanted, for Self-Monitoring domains :/

    Thanks,
    Eden.

    ------------------------------
    Eden Amsalem
    ------------------------------