Guardium CEF Connector Configuration Guide

Summary:

The "Guardium Solution CEF Connector Configuration Guide" is a detailed document that explains how to configure the Guardium Appliance to send audit reports and real-time alerts in Common Events Format (CEF) to an ArcSight server. It covers device support, configuration steps, event mapping, and provides a table of field mappings from ArcSight data fields to vendor-specific events. The goal is to facilitate efficient logging and alerting through the ArcSight platform by standardizing how data related to alerts is logged, including details like IP addresses, port numbers, network protocols, database information, user names, application names, SQL strings, timestamps, and policy violation IDs.

Details:

The document titled "Guardium Solution CEF Connector Configuration Guide" provides a detailed guide for configuring the Guardium Appliance to send audit reports and real-time alerts in the Common Events Format (CEF) to an ArcSight server. It includes revision history, device support information, and step-by-step instructions for setting up the integration. Key points include: 1. **Revision History**: The document has undergone multiple revisions since its initial release on September 4, 2008, with updates including clarifications in Global Profile definitions, addition of field mappings, descriptions, scenarios, and additional custom fields. Most recent changes were made on July 21, 2009, updating the format and adding a certification logo to the front page. 2. **Device Support**: The Guardium Appliance supports device versions 7.0 and above for collecting syslog events. 3. **Overview**: The Guardium solution aims to protect the entire application and database infrastructure by monitoring real-time database activities, providing auditing and compliance solutions, change control, vulnerability management, and data leak prevention. 4. **Configuration Steps**:

• To integrate with ArcSight, set up Syslog forwarding from the Guardium appliance to the ArcSight server via CLI.

• Configure Audit Reports: Create an audit task, add tasks for exporting CEF files and writing to syslog, then run or schedule the audit process.

• For Real-Time Alerts, configure the Global Profile in the Admin Console to output messages in CEF format, defining rules such as severity, server type, classification, database protocol, and more.

• Use the Policy Builder to define real-time alerts that are sent to ArcSight via Syslog.

5. **Event Mapping**: Detailed event mapping from device events to ArcSight data fields is provided for seamless integration. This guide serves as a comprehensive manual for implementing CEF reporting in Guardium solutions, facilitating efficient logging and alerting through the ArcSight platform. The article describes the mappings from ArcSight data fields to supported vendor-specific event definitions in the Guardium Global Profile. It provides a table listing these field mappings for real-time alerts using CEF format (CEF:0|Guardium|Guardium|7.0|%%ruleID|%%ruleDescription|5|rt=%%receiptTimeMills). The table includes required CEF fields, extensions, and descriptions of ArcSight event data fields such as severity, server type, category, classification, database protocol, application user name, source program, request type, session start time, network protocol, SQL string, and more. These mappings help in easy identification of alerts based on rule description, category, classification, severity, and other details relevant to the specific vendor's system. This document outlines a standardized format for logging data related to alerts generated by an ArcSight system, focusing on details such as IP addresses, port numbers, network protocols, database information, user names, application names, SQL strings, timestamps, and policy violation IDs. The purpose of this standard is to ensure consistent and accurate recording of events across different systems, facilitating easier analysis and interoperability between various components of the security infrastructure.