IBM Security Guardium

 View Only
Expand all | Collapse all

Creating report for created rules

  • 1.  Creating report for created rules

    Posted Fri November 01, 2019 08:57 AM
      |   view attached
    Dear Team,

    The new version of the Guardium has a default policy PCI DSS. The established rules within this policy are 18.

    I would like to know how to create a report on each of these rules?

    For example:

    The first rule - Failed login
    2. If Repeated
    3. SQL Error
    4.Sql Error - alert on risk indicative error and etc.

    And a report for him.

    And so on.
     
    Unfortunately, detailed instructions for creating reports for each rule are nowhere to be found.

    Thank You

    ------------------------------
    Ali Bayramov
    ------------------------------


  • 2.  RE: Creating report for created rules

    IBM Champion
    Posted Fri November 01, 2019 09:53 AM
      |   view attached
    Hi Ali:

    You have to create a query that matches the logic in the policy rule. 

    It looks like you are most interested in reporting on Exceptions.  There are several Exceptions reports provided by IBM that  you can clone and use for your purposes. 

    But I can try to explain, you want to create the query in the Exceptions Domain and the main difference between login failures and SQL errors is that you will want a condition of 'Exception Type = LOGIN_FAILED or SQL_ERROR' in order to get the events that you want to capture.  Then add in the other conditions that you use in your policy, like IN GROUP.  I attached a snapshot as example.

    Thresholding is a little tougher, but you can exclude the timestamp and add a count.  Then provide the from and to period when you execute the query.  Or leverage an audit process or alert. ​
    Thanks,

    ------------------------------
    Wendy Zemba
    ------------------------------

    Attachment(s)

    docx
    Falied Login Report.docx   69 KB 1 version
    Original Message