Global Profile

The Global Profile panel defines defaults that apply to all users.

Override the Default Aliases Setting

By default, for any new report, or for any report that is contained in a default layout, aliases are not used.

An alias provides a synonym that substitutes for a stored value of a specific attribute type. It is commonly used to display a meaningful or user-friendly name for a data value. For example, Financial Server might be defined as an alias for IP address 192.168.2.18.

If you want to see aliases by default, you can change the default aliases setting for all reports, as follows:

Click Setup > Tools and Views > Global Profile to open the Global Profile.
Mark the Use Aliases in Reports unless otherwise specified check box.
Click Apply.

Customize the PDF Page Footer

PDF files created by various Guardium® components (audit tasks, for example) have a standard page footer. To customize that footer:

Click Setup > Tools and Views > Global Profile to open the Global Profile.
In the PDF Footer Text field, enter the text to be printed at the foot of each page.
Note: PDF footer text is not distributed from the Central Manager/ Aggregator to the Managed Units.
Click Apply.

Edit the Alert Message Template

To customize the message template used to generate alerts:

Click Setup > Tools and Views > Global Profile to open the Global Profile.
In the Message Template text box, edit the alert template text.
You can mark the no wrap check box to see where the line breaks appear in the message.
Click Apply when you are done.
Changes will not take effect until the inspection engines are restarted. To do that now, click Manage > Activity Monitoring > Inspection Engines to open the Inspection Engines. Click Restart Inspection Engines.

Table 1. Alert Message Template Variables
Variable	Description
%%addBaselineConstruct	To add to baseline Attention: The Baseline Builder and related functionality is deprecated starting with Guardium V10.1.4.
%%AppUserName	Application user name
%%AuthorizationCode	Authorization code
%%category	Category from the rule definition
%%classification	Classification from the rule definition
%%clientHostname	Client host name
%%clientIP	Client IP address
%%clientPort	Client port number
%%DBName	Database name
%%DBProtocol	Database protocol
%%DBProtocolVersion	Database protocol version
%%DBUser	Database user name
%%lastError	Last error description; available only when a SQL error request triggering an exception rule contains a last error description field
%%netProtocol	Network protocol, for K-TAP on Oracle, this may display as either IPC or BEQ
%%OSUser	Session information. (OS_USER in GDM_ACCESS)
%%receiptTime	Timestamp representing the time when the alert occurred
%%receiptTimeMills	Numeric representing the time when the alert occurred, in milliseconds since the fixed date of Jan 1 1900
%%requestType	Request type
%%ruleDescription	The rule description from the policy rule definition
%%ruleID	The rule number from the rule definition
%%serverHostname	Server hostname
%%serverIP	Server IP address
%%serverPort	Server port number
%%serverType	The database server type
%%serviceName	Service name
%%sessionStart	Session start time (login time)
%%sessionStartMills	Numeric representing the start of the session where the alert occurred, in milliseconds since the fixed date of Jan 1 1900
%%severity	Severity from the rule definition
%%SourceProgram	Source program name
%%SQLNoValue	SQL string with masked values. The value of SQL will be replaced by ? in the syslog.
%%SQLString	SQL string (if any)
%%SQLTimestamp	The time on the packet/request (TIMESTAMP in GDM_CONSTRUCT_TEXT)
%%Subject[ ]	If this variable is used in the message template, all that appears between [ ] (for example, file name, email sender, description) will be the subject line of the email sent to user.
%%violationID	Numeric representing the POLICY_VIOLATION_LOG_ID of this alert in GDM_POLICY_VIOLATION_LOG (this is the same as the Violation Log ID in the Policy Violations / Incident Management report)

Named Template

Message templates are used to generate alerts.

The feature defines multiple message templates and facilitates the use of different templates on different rules. In the past, only a single message template was available for all rules, all receiver types, etc.

To add, modify and delete named message templates, click Edit. When creating a new named template, the starting value of the string is a copy of whatever is currently in the Message template of the Global Profile. "R/T Alert" is the only level of severity permitted.

Predefined message templates have been created for the SIEM solutions, ArcSight, EnVision, and QRadar. The Guardium system comes preloaded with two certified (agreed upon) templates to integrate with these two SIEM solutions.

The Named Template builder can select from two template types - Real-time Alerts and Audit Process Report.

Use the Audit Process Report to audit process tasks.

Click Edit Named Templates. Choose an SIEM and then click Modify. Select Real-time Alerts or Audit Process Report.

After editing, the multiple message templates can be selected from within the Policy Builder menu. See Policies.

Adding the QRadar template allows sending real-time alerts or Audit Process Report to QRadar using the LEEF Format (this is QRadar's format).

Follow the steps to send real-time alerts or Audit Process Results to the QRadar SIEM.

Real-time alert, Guardium to QRadar

Create an real-time alert.
Write to syslog
Select Template type (Read-time Alert)
Forward to Q1 Labs QRadar SIEM (via LEEF mapping/ predefined message template) - choose QRadar Named Template from Global Profile
From the CLI, run the CLI command "store remotelog" to forward the syslog messages to QRadar.

Audit Process Report, Guardium to QRadar

Click Harden > Vulnerability Assessment > Audit Process Builder to open the Audit Process Builder.

Create an Audit Process report (Audit Process Builder)
Write to syslog
Select Template type (Audit Process Report)
Forward to Q1 Labs QRadar SIEM (via LEEF mapping/ predefined message template) – choose QRadar Named Template from Global Profile
From the CLI, run the CLI command "store remotelog" to forward the syslog messages to QRadar.

For example, here is the default LEEF template for the Databases Discovered report:

LEEF:0|IBM|Guardium|9.0|Databases Discovered|Time Probed=${1}|Server IP=${2}|Server Host Name=${3}|DB Type=${4}|Port=${5}|Port Type=${6}

Here are the report columns that are mapped to the template:

Time Probed      Server IP    Server Host Name    DB Type    Port    Port Type

Check Export to CSV file and Write to Syslog.
Select the Named Template, LEEF Discovered Databases
Configure Remote Syslog by using the store remotelog command. For example:
```
store remotelog add user.info 9.70.145.68 udp
```
This will now push all records from the audit process to the supplied IP address.

Sender Encoding: To encode outgoing messages (email and SNMP traps) in an encoding scheme other than UTF8, use the CLI command, store sender_encoding.

Filter templates of one type: There is a filter mechanism to select all Real Time Alerts or Audit Process Report. Check or clear each selection.

Envision 2 message template: GUARDIUM_ALERT:; rule-id=%%ruleID^^category=%%category^^classification=%%classification^^severity=%%severity^^session-start-time=%%sessionStart^^client-hostname=%%clientHostname^^client-ip=%%clientIP^^server-type=%%serverType^^server-ip=%%serverIP^^src-program=%%SourceProgram^^os-user=%%OSUser^^db-user=%%DBUser^^app-user=%%AppUserName^^service-name=%%serviceName^^req-type=%%requestType^^rule-desc=%%ruleDescription^^sql=%%SQLNoValue

Threshold Default Template

As in real-time alerts, you can choose a template for the message that is sent when the threshold is reached. The template uses a predefined list of variables that are replaced with the appropriate value for the specific alert.

Those variables are:

%%alertName - alert name

%%description - alert description

%%alertQueryValue - query value that caused the alert

%%alertThreshold - alert threshold

%%alertQueryFromDate - start of the query period

%%alertQueryToDate - end of the query period

%%alertBaseQueryValue - base query value of the alert

%%classification - alert classification

%%category - alert category

%%severity - alert severity

%%recommendation - recommended action for the alert

%%Subject[] - subject of the message

The default template for threshold alerts is as follows (can be cloned and edited):

%%Subject[Guardium Alert. Severity: (%%severity), Alert Name: %%alertName]

Alert Name: %%alertName. Alert Description: %%description.

Current value: %%alertQueryValue

Base query value: %%alertBaseQueryValue

Threshold: %%alertThreshold

Query period: %%alertQueryFromDate - %%alertQueryToDate

Alert Classification: %%classification

Category: %%category

Severity: %%severity

Recommended Action: %%recommendation

Customize real-time alerts and email: Control appearance of Prefix email subject with Guardium appliance name.; Control appearance of email subject in email body.; Add naming template parameter %%applianceHostName so Guardium users can add appliance hostname to Name Templates (any position subject or body).; To accomplish this, use two fields in ADMINCONSOLE_PARAMETERS table:; APPEND_APPLIANCENAME_SUBJECT; APPEND_SUBJECT_IN_BODY; Use the following CLI commands to control the content of these fields:; show alerter email append_name_subject; store alerter email append_name_subject; show or store the flag to append the appliance name in email subject; show alerter email append_subject_body; store alerter email append_subject_body show or store the flag to append email subject in the beginning of the email body; Each time the value in CLI changes, it takes effect immediately on the outgoing emails.

CSV Separator

To define a separator to be used in the audit process:

Click Setup > Tools and Views > Global Profile to open the Global Profile.
Choose Comma, Semicolon, Tab, or define your own in Other box to define the CSV Separator that is used.
Click Apply.

Add other HTML content to the Guardium Window

To add other HTML content to the Guardium window:

Click Setup > Tools and Views > Global Profile to open the Global Profile.
In the HTML - Left and HTML - Right text boxes, enter the HTML for the text or any other items you want to include on the window.
Optionally click the preview button to verify that your HTML is displayed as you expect.
Click Apply.

Add or Disable a Login Message

To add a message to display in a message box, each time a user logs in:

Click Setup > Tools and Views > Global Profile to open the Global Profile.
In the Login Message text box, enter the text that you want to display when each user logs in.
Mark the show login message box to enable the display of the login message (or clear the box to disable the display).
Click Apply.

Enable or Disable Concurrent Same-user Logins

By default, the same Guardium user can log in to an appliance from multiple IP addresses. You can disable concurrent logins from the same user. When disabled, each Guardium user will be allowed to log in from only one IP address at a time. If a user closes their browser without logging out, the connection will time out due to inactivity, so the user account will not be blocked for long.

To change this setting:

Click Setup > Tools and Views > Global Profile to open the Global Profile.
Locate the field Concurrent login from different IP.
Click Enable or Disable, depending on the current status, to change the setting.
Note: When the feature is disabled, an Unlock button appears next to the Enable button. You can click Unlock to allow a second user to log in with this user account, from a different IP address. This is provided for support purposes.

Enable Data Level Security at the Observed Data Level

This feature assumes that specific Guardium users are responsible for certain specific databases. Therefore a mechanism exists that will filter results, system-wide, in a way that each user will only be able to see the information from those databases that the user is responsible for.

Restriction: Data Level Security and the Investigation Dashboard cannot be enabled concurrently.

To change this setting:

Click Setup > Tools and Views > Global Profile to open the Global Profile.
Click the Enable or Disable button for the Data level security filtering option
Note: The datasec-exempt role is activated when data level security is enabled and the datasec-exempt role has been assigned to a user.
Additional choices include:
- Show-all - Permits the logged-in viewer to see all the rows in the result regardless of who these rows belong to. When used with the Datasec-exempt role permits an override of the data level security filtering.
- Include indirect records - Permits the logged-in viewer to see the rows that belong to the logged-in user, but also all rows that belong to users under the logged-in user in the user hierarchy.

Note: If data level security at the observed data level is enabled, then audit process escalation is allowed only to users at a higher level in the user hierarchy.

Default Filtering

Online viewer default setting and for audit process results distribution.

Show-all. The default setting is disabled.

Escalate result to all users

Escalate result to all users - A check mark in this check box escalates audit process results (and PDF versions) to all users, even if data level security at the observed data level is enabled. The default setting is enabled. If the check box is disabled (no check mark in the check box), then audit process escalation is allowed only to users at a higher level in the user hierarchy and to users with the datasec-exempt role. If the check box is disabled, and there is no user hierarchy, then no escalation is permitted.

Custom database table maximum size

Set the size of the custom database table (in MB). The Default value is 4000 MB.

At this point in the Global Profile menu is a button to see Current usage. Click on the Current Usage button to show values for INNODB, MYISAM and Total.

Note: The custom size limit is tested before importing data. The import can exceed the maximum size limit. After the limit is exceeded, the next import will be prevented.

SCP and FTP files via different ports

Change the ports that can be used to send files over SCP and FTP.

For Global Profile - Export and Patch Backup can be changed. The default port for ssh/scp/sftp is 22. The default port for FTP is 21.

Note: Seeing a zero 0 in the Guardium GUI as the port indicates that the default port is being used and that there is no need to change.

Add a logo to the Guardium Window

To add a company logo graphic to the Guardium window, or to add other HTML content to the Guardium window:

Click Setup > Tools and Views > Global Profile to open the Global Profile.
In Upload Logo Image, if you want to include a logo image in the portal window, enter an image file name or click Browse to select a file to upload to the Guardium appliance, and then click Upload.
Refresh your browser window. The new logo appears.

Note: The name of the uploaded logo file cannot contain a single quotation mark, double quotation mark, less than sign, or greater than sign.

Encrypt Must Gather

Encrypt Must Gather was added to the Global Profile. Default value is cleared (Do not encrypt). If it is cleared, must gather output is just compressed and not encrypted. When the check box is checked, all future must gather output will be encrypted. Encryption can be also set on by using the store encrypt_must_gather on CLI command and set off by using store encrypt_must_gather off.

Check for Guardium updates

Adding a checkmark will display relevant ad-hoc Guardium patches, GPUs/CFPs/Bundles, Sniffer patches and security patches that are available for the customer to download. Once the patch has been installed, it will disappear from the list.

Datasource connection timeout

Set the Datasource connection timeout in seconds. The default is 60 seconds.

The corresponding GrdAPI command to update this value is: grdapi update_datasource_connection_timeout timeoutInSecond=80