Creating an event map for IBM Guardium events
Event mapping is required for a number of IBM® Guardium® events. Due to the customizable nature of policy rules, most events, except the default policy events do not contain a predefined IBM QRadar® Identifier (QID) map to categorize security events.
About this task
You can individually map each event for your device to an event category in QRadar. Mapping events allows QRadar to identify, coalesce, and track recurring events from your network devices. Until you map an event, all events that are displayed in the Log Activity tab for IBM Guardium are categorized as unknown. Unknown events are easily identified as the Event Name column and Low Level Category columns display Unknown.
As your device forwards events to QRadar, it can take time to categorize all of the events for a device, as some events might not be generated immediately by the event source appliance or software. It is helpful to know how to quickly search for unknown events. When you know how to search for unknown events, we suggest that you repeat this search until you are satisfied that most of your events are identified.
- Log in to QRadar.
- Click the Log Activity tab.
- Click Add Filter.
- From the first list, select Log Source.
From the Log Source Group list, select the log source group or
Log sources that are not assigned to a group are categorized as Other.
- From the Log Source list, select your IBM Guardium log source.
Click Add Filter.
The Log Activity tab is displayed with a filter for your log source.
From the View list, select Last Hour.
Any events that are generated by the IBM Guardium DSM in the last hour are displayed. Events that are displayed as unknown in the Event Name column or Low Level Category column require event mapping in QRadar.Note: You can save your existing search filter by clicking Save Criteria.
You are now ready to modify the event map.