Release notes - Guardium Insights Version 3.4.0
IBM Guardium Insights is a hybrid cloud data security hub that helps you improve visibility into user data activity and risk. Guardium Insights helps you protect data more efficiently, enhance information technology flexibility, and reduce operational costs as you embrace new business paradigms (such as moving data to the cloud). Guardium Insights helps reduce the cost and complexity related to collecting, managing, and retaining data security and compliance data. It provides new analytics to enhance threat investigations - and it provides quick reporting functionality (including prebuilt reports). Risk scoring and alerting in Guardium Insights help you prioritize your activities.
Version 3.4.x This content only applies to Guardium Insights Version 3.4.x.
Guardium Insights is a powerful tool that can help you secure your data. Simple to use, Guardium Insights allows you to set up connections to your data sources.
Guardium Insights provides tools to help you analyze data:
- Outlier mining: Detecting anomalies in activities and exceptions.
- Risk events: Identifying assets at risk using broad data points.
- Reports: Dive into the raw data for deep investigation.
Contents
Download Guardium Insights v3.4.0
Guardium Insights V3.4.0 can be downloaded as an archive file (2.4.0.tar.gz) from: https://github.com/IBM/cloud-pak/tree/master/repo/case/ibm-guardium-insights
You can install only the products for which your site is entitled.
For further instructions, read the README.md file located after unzipping the latest tar file.
Install Guardium Insights v3.4.0
Before installing Guardium Insights, review the system requirements.
This offering is deployed as a new installation of Guardium Insights – or as an in-place upgrade. Please follow these instructions:
What's new in IBM Guardium Insights Version 3.4.0
- Ease of use
- Streaming analytics consolidation with risk events: Outliers are detected from streaming data. This surfaces potential emerging risks (for data that is not subject to policies). With this new feature, you can see and react to emerging threats more quickly.
- Technical debt
- Improvements to mini-snif have reduced the number of duplicate instance messages.
- System health dashboard
- A system health dashboard has been introduced in Guardium Insights with fifteen new dashboard cards. You can now
monitor the health of your full-stack Guardium Insights
deployments (including OpenShift®). This new
dashboard can be added by selecting it from the dashboard templates view. For more information, see
Dashboards.
Three of the health dashboard cards (PVC Usage, Pod Restart and Direct Streams Ingestion) require Prometheus to be enabled. For more information, see Configuring Prometheus.
- Slack integration
- The Slack integration is used to send outgoing messages from Guardium Insights to Slack, an instant messaging platform. Customers
of all Guardium products can send notifications from within Guardium to Slack, increasing
efficiencies and keeping up with modern ways of working. You can create an app in your Slack
workspace and then configure Guardium Insights with its
incoming webhook or bot user token (with the
chat:write
scope). After integration, you can use Slack to receive notifications and policy alerts. For more information, see Slack configuration. - Active queries monitor
- The active queries monitor is a new dashboard card and report that shows key information about
queries. The report shows the origin of the query, the user who ran it, its name, start time,
elapsed time, and status. In addition, you can use the report to view the SQL of the query and, for
SELECT statements, stop the query.
With this feature, you can view the status and progress of running jobs, and cancel them if needed, helping them to prevent system performance issues.
- Asset inventory
-
- View the connected entities of an asset and their relationships with an interactive topology map.
- Six new cards are added to the Classic Guardium Insights overview dashboard to view high-level asset information.
- Along with the default list of all assets, you can also view the list of assets that are grouped by hostname.
- You can now create a category when you add auto-tagging rules for assigning tags to the assets.
- Risk event categories feedback
-
The risk event categorization has been enhanced and is now based on a machine learning model. With your help in providing feedback, this model can adjust itself to your organization’s needs. The machine learning model uses both positive and negative feedback to fine-tune the categorization. It uses an incremental learning algorithm that modifies the model gradually with each feedback provided so that a single case does not have a disproportionate impact. For more information on the risk event categories and feedback see, Risk event categories and Providing feedback respectively.
- Variants
- Variants allow you to use report data more easily by customizing reference data inside reports, as required. Customization of report data also allows for better joins to occur with custom data. For more information, see Working with variants.
- Workflows
- With Guardium Insights workflows, you can intuitively schedule jobs in simple or advanced manners, as suits your needs. When you create a workflow in Guardium Insights, you are setting up a process for scheduling jobs and then tracking the distribution, review, and completion of those jobs. You can schedule reports to run and set up workflows for those reports - or you can schedule import jobs (these require an integration for importing and exporting data, which you can set up when you create the workflow if you don't already have one).
- Universal connector
-
- Cloud databases: Support added for PostgreSQL, AWS PostgreSQL, and Aurora MySQL.
- On-premises databases: Syslog support added for PostgreSQL, EnterpriseDB PostgreSQL, and Yugabyte.
- GDPR Compliance program
- A new guided compliance program with enhanced user experience was added to help you secure your data and achieve General Data Protection Regulation (GDPR) compliance. For more information, see Compliance milestones.
- Reports
- You now have the ability to display report data for a customized time period. You can group timestamps by the hour, day, week, month, year, or a specific date.
- Enhanced dashboard filtering
- This release provides the ability to add global dashboard filters by clicking individual cells in report-type cards and selecting filter criteria. Once set, global filters are applied to all cards on the dashboard that support the criteria, allowing you to quickly identify and visualize stories in your data.
- Improved group population
- When customizing dashboards, you can now add a card for a group. This allows you to add members to your groups from your dashboard. In addition, you can now add members to groups from within a report and you can automate group population by creating a workflow for a report that adds report results to a group.
- Notifications for risk events and policy alerts
- Risk events and policy alerts can now notify users using SMTP, Syslog, SNMP trap, Slack, and ticketing Integrations.
- Data ingested after a Guardium Insights update is placed in new reporting tables
- Online reporting restricts time boundaries to be on either side of the update time. Times before the update will use the previous schema. Times after the update will use the new reporting tables. Offline reports allow report time to span the update time. Offline reports will merge the results across the old and new reporting tables.
- Joining custom data sets to reports
- If you create a custom data set, you can now join it with report data.
- Support for installing Guardium Insights on Amazon Elastic Kubernetes Service (EKS)
- See Installation on Amazon Elastic Kubernetes Service (EKS) to learn how to install Guardium Insights on Amazon Elastic Kubernetes Service (EKS).
Known limitations and workarounds for Guardium Insights v3.4.0
Issue key | Description |
---|---|
INS-29331 | In rare cases, there are Db2® errors for services
such as the reports and risk services. These may prevent report execution or risk event generation.
When this occurs, these errors are seen in the logs for the related
service:
Workaround: See Db2 errors for reports and risk services. |
INS-37220 | After upgrading Guardium Insights, the
datamart-processor may not be able to write files to storage. As a result, data
ingestion no longer takes place (the files are not ingested, but they are
preserved).Workaround: To re-upload the files that have been preserved - and to resume
ingestion - restart |
|
After upgrading Guardium Insights from version 3.2.x
to version 3.3.x and then to version 3.4.0, universal connector connections do not work due to a
certificate error. Workaround: See Existing universal connector certificate does not work in a restored environment. |
INS-37352 | When there are very large amounts of data, the Data mart ingestion page displays this
error:
Workaround: If the Data mart ingestion page displays this error, you can access the data mart ingestion information by opening the Data mart ingestion status report. This report includes data marts collected from both collectors and aggregators. To open the reports page, select Reports in the main menu. Open this menu by clicking the main menu icon ()) |
INS-37724 | When working with compliance milestones, you can Refine alerts with the
Configure alert recipients action. When you choose this action and refine
alerts, you can elect to send emails for actions. When you click the Send email
to action and then click Invite users, the resulting landing page
includes an Add users button that does not work. Workaround: Go to the user management screen and add the user. Then return to the Refine alerts page to add the user to the list. |
INS-38008 | Upgrading Guardium Insights fails with
non-zero return code error when the length of the
spec.guardiumInsightsGlobal.ingress.hostname value in your custom resource (CR)
file is longer than 58 characters.Workaround: Before upgrading, ensure that the length of
the |
INS-39694 | After modifying data retention settings, the new settings do not take effect until you restart the data
retention pod. Workaround: Restart the data retention pod after changing the settings. |
INS-41777 | Guardium Insights upgrade becomes stuck because CSV
does not update Workaround: See Guardium Insights upgrade becomes stuck because CSV does not update. |
INS-41829 | The schedule for data marts v5 is missing after
upgrading Guardium Insights. Workaround: Before upgrading to Guardium Insights v3.4.0, you must stop streaming. When you start data mart streaming after upgrade completion, enter a new date for v5 data marts. The initial start date can be set in the Schedule managed units export wizard in the page for the central manager. This date should be earlier than the date on which you stopped streaming data marts. |
INS-42573 | Guardium Insights displays a 500 Internal
Server Error when opening a compliance
milestone.Workaround: Reset user configurations for the environment before opening compliance milestones. |
INS-42575 | After upgrading Guardium Insights, logging in to the
application takes several seconds. Workaround: Restart the Service Pod before logging in to the application. |
INS-42580 | During upgrade, the Guardium Insights custom
resource (CR) appears to display an intermediary status for several minutes (for example, upgrading
from version 3.3.3 to 3.4.0 displays an extended status that indicates upgrade to version
3.3.5). Workaround: This is expected behavior. The upgrade will commence during the next
operator reconciliation. If there was a reconciliation running prior to patching the CR, the status
of the Guardium Insights CR may take some time to update.
You can safely force the operator to upgrade immediately by running this
command:
|
INS-42659 | AWS streams appear as unhealthy after upgrading Guardium Insights. Workaround: Ensure that you have installed Tenant Minisnif and Tenant GUC Custom Resources Version 3.3.4 or later (see this step). |
INS-42701 | After connecting to DynamoDB with the universal connector, traffic for the connection is not
captured in reports. Workaround: Download the Dynamo Db plug-in and upload it to Guardium Insights (see Connecting to data sources by using the universal connector). |
INS-42822 | After upgrading Guardium Insights and restoring a
backup, newly-created universal connections appear as Unhealthy and pods are
stuck in a Pending state.Workaround: Increase the storage volume count or contact IBM Cloud support. |
INS-42885 |
Guardium Insights v3.4 changes the data model from v3.3 in order to improve report and ingestion performance. Shortly after upgrade, you may see scheduled reports running longer than usual or, in some circumstances, failing. The reason behind this may be that the data in the old data model and the new data model are being joined into a single result set in an attempt to minimize disruption. If you encounter longer than normal scheduled report execution times, this should be temporary and subsequent runs should be much faster. Workaround: If scheduled reports are failing, inspect the reports-runner pod logs. If you
encounter an |
INS-42890 | Reports in the Active report categories (for example, Active Full SQL,
Active Exception, and Active Policy Violation) can be used to debug issues with traffic capture,
policy rule configuration, and for instantaneous confirmation of traffic capture for direct-streamed
data sources in Guardium Insights. These reports may contain duplicate data. The duplicates will not appear in the main reporting categories on the audit data (for example, DB Activity, Full SQL, and Policy Violation) as the processing of the active data to the permanent data consolidates and removes the duplication. Workaround: None for the Active report categories. You can use the main report categories instead. |
INS-42960 | After restoring a backup to Guardium Insights,
Guardium Data
Protection connections can become red and
data marts are not pulled from Guardium Data
Protection. This occurs rarely. Workaround: See Existing data mart pull configuration does not work in a restored environment. |
INS-43003 | After upgrading Guardium Insights from version 3.3.0
to 3.4.0, some of the universal connector connections became unhealthy. Workaround: Reconfigure the unhealthy universal connector connections.. |
INS-43004 | After upgrading Guardium Insights, existing Guardium Data
Protection connections do not ingest v4 data marts. Workaround: Re-register the Guardium Data Protection connections to update existing certificates. |
INS-43127 | Asset inventory page does not load after upgrading Guardium Insights. Workaround: Manually delete
the collections ( |
INS-43135 | After running systest-preupgrade-validation Guardium Insights, the log contains this
warning:
Workaround: See MongoDB warning in pre-upgrade validation script. |
INS-43179 | After restoring a backup to Guardium Insights,
data marts are not pulled from Guardium Data
Protection and the
guard_filetransfer_log file contains a Permission denied, please try
again error.Workaround: See Existing data mart pull configuration does not work in a restored environment. |
INS-43190 | After backing up Guardium Insights version 3.4.0
from cluster A - and then restoring onto cluster B with a different domain name (FQDN) - Filebeat/syslog universal connector connections do not
work. Workaround: Reconfigure the Filebeat/syslog universal connector connections. |
INS-43243 | Legacy GI to GDP API communication protocol port number cannot be
modified if it is removed. Workaround: Instead of removing the port number, replace it with a copy and paste of the correct port number. |
INS-43625 | When restoring a backup of Guardium Insights, this
error occurs:
Workaround: If this is present in the Db2 restore section:
Your backup was not downloaded correctly to your PVC and it has been corrupted. If multiple .gz files exist in your backup directory/DB2/ folder, start with the smallest tgz folder (in terms of byte size) and try to untar with this command:
If you see this:
That is the file that is corrupted. If you still have the original backup files, you can do a If you no longer have the
original backup files, verify that the affected tgz file is does not have the
If the Otherwise, remove all
delta files in the backup and restore only the gz file with the
|
Resources
IBM Guardium Insights documentation: Guardium Insights overview
Guardium Insights v3.4.x system requirements and prerequisites
IBM Security Learning Academy: https://www.securitylearningacademy.com