IBM Guardium

Integration of IBM Guardium with Callgoose SQIBS

Overview

This document provides a detailed guide to integrating IBM Guardium with Callgoose SQIBS for real-time Incident Management, Incident Auto Remediation, Event-Driven Automation, and other automation purposes. The integration enables automatic creation, updating, and resolution of incidents in Callgoose SQIBS based on alerts triggered in IBM Guardium. The guide includes steps for setting up alerts in IBM Guardium, configuring webhook notifications, creating API filters in Callgoose SQIBS, and troubleshooting.

Prerequisites

• IBM Guardium Account: Access to IBM Guardium for creating alerts and managing notifications.
• Callgoose SQIBS Account: With valid privileges to set up API filters and receive notifications.
• Webhook/API Endpoint: Available in Callgoose SQIBS to receive alerts from IBM Guardium.

1. Obtain API Token and Endpoint Details

To integrate with Callgoose SQIBS, you first need to obtain an API token and find the API endpoint details.

1. Generate an API Token:

• Follow the guide on How to Create API Token in Callgoose SQIBS: https://docs.callgoose.com/sqibs/api_token

1. Find the API Endpoint:

• Refer to the Callgoose SQIBS API Endpoint Documentation: https://docs.callgoose.com/sqibs/api_end_point to get the endpoint details where the JSON payloads from IBM Guardium will be sent.

2. Debugging and Troubleshooting

Enable debugging in the API tokens used with IBM Guardium notifications for troubleshooting purposes.

• Enable Debugging:
• You can update the debug value when adding or updating an API token.
• When API tracking is enabled, logs are stored in the API log section for your review. The debugging option will automatically disable after 48 hours.
• When API tracking is turned off, no logs are saved in the API log.
• Using API Log for Troubleshooting:
• The API log provides detailed information on all API calls made to Callgoose SQIBS.
• You can check the JSON values in each API log entry for troubleshooting purposes.
• Use the information in the API log to create or refine API filters to ensure incidents are created correctly based on the API payloads received.
• Callgoose SQIBS creates incidents according to your API filter configuration, giving you full control over how alerts from different services trigger incidents and alerts for your support team or automation processes.

3. Configuring IBM Guardium to Send JSON Payloads

IBM Guardium supports webhook notifications that send automated alerts to an external system when database security incidents occur, such as unauthorized access attempts, policy violations, or unusual activity.

3.1 Configure webhooks in IBM Guardium Data Detection and Response (DDR)

To configure webhooks in IBM Guardium Data Detection and Response (DDR), . 

Here's a more detailed breakdown of the process:

3.1.1. Access the Webhook Configuration:

• Open the IBM Guardium DDR interface.
• Navigate to the main menu and choose "Connections" > "Integrations" > "Webhook".
• Click on "Integrations > Notification webhooks". 

3.1.2. Create a New Webhook:

• Click "Create webhook".
• Provide a name for the webhook, and optionally, an owner and email contact information.
• Specify one or more request URLs for the API.
• Select the type of authentication (e.g., Basic, JWT, etc.).
• Fill in the necessary authentication details, such as username, password, header name, secret, etc., based on the chosen authentication type.
• If using JWT, specify the token endpoint, client ID, client secret, HTTP header value, Sub claim, JWT lifetime, and signing algorithm.
• Optionally, specify custom headers and values.
• Optionally, enable Dead letters and specify reconciliation settings. 

3.1.3. Configure the Webhook Destination:

• In the Destinations tab, enter the webhook URL and the REST API verb to be called when the webhook is triggered.
• You can also enter authorization headers to the destination webhook.
• Create a subscription to associate the webhook destination to a topic. 

3.1.4. Associate the Webhook with Events/Applications:

• After creating the webhook, you'll need to associate it with specific events or applications within Guardium DDR.
• Go to Applications > application name > Configuration > Webhooks > Add Webhook or Processes > process name > Configuration > Webhooks > Add Webhook.
• Copy the generated webhook URL and paste it into the URL field.
• Specify the event type and select a template name.
• If adding to an application, specify the environment name. 

3.1.5. Test the Webhook:

• After configuring the webhook, test it to ensure it's working as expected.
• After an investigation completes and the webhook successfully sends the analysis results, the status will show the date and time. 

How It Works:

1. Event Occurs: IBM Guardium detects an anomaly or security breach.
2. Webhook Triggered: IBM Guardium sends a JSON payload containing event details (e.g., user, timestamp, database, activity) to the Callgoose SQIBS webhook URL.
3. Action Taken: Callgoose SQIBS processes the webhook payload and triggers automated workflows or escalates incidents to security teams.

Benefits of Using IBM Guardium Webhooks with Callgoose SQIBS:

• Real-Time Threat Detection: Receive immediate alerts for potential security threats.
• Automated Incident Remediation: Trigger workflows to mitigate risks without manual intervention.
• Enhanced Security Visibility: Gain deeper insights into database activity.
• Centralized Security Management: Integrate with SIEM tools and security teams for efficient incident response.

3.1.6. Setting Up Alerts in IBM Guardium

1. Log in to the IBM Guardium Console:

• Access the IBM Guardium platform using your account credentials.

1. Navigate to the Alerts Section:

• In the IBM Guardium console, go to Security Policies > Alerts.

1. Create a New Alert:

• Click on Create Alert.
• Define conditions that will trigger the alert (e.g., unauthorized access, policy violations, suspicious queries).

1. 3.1.7. Configure the Notification Method:

• Select Webhook as the notification method.
• Enter the Webhook URL provided by Callgoose SQIBS.

4. Configuring Callgoose SQIBS

To correctly map incidents from IBM Guardium alerts, create API filters based on the JSON payloads received.

• Refer to the API Filter Instructions and FAQ: https://docs.callgoose.com/sqibs/api_integration for more details.

4.1. Example JSON Payloads from IBM Guardium

Alert Triggered (severity: "Critical")

{
  "alertName": "Unauthorized Access Detected",
  "severity": "Critical",
  "description": "Unauthorized login attempt detected on Database XYZ",
  "timestamp": "2024-08-05T12:00:00.000Z",
  "alertId": "guard123"
}

Alert Resolved (severity: "Normal")

{
  "alertName": "Unauthorized Access Cleared",
  "severity": "Normal",
  "description": "Incident resolved for unauthorized login attempt on Database XYZ",
  "timestamp": "2024-08-05T12:30:00.000Z",
  "alertId": "guard123"
}

4.2 Configuring API Filters

• Trigger Filter (For Creating Incidents):
• Payload JSON Key: "severity"
• Key Value Contains: [Critical]
• Map Incident With: "alertId"
• Incident Title From: "alertName"
• Incident Description From: "description"
• Resolve Filter (For Resolving Incidents):
• Payload JSON Key: "severity"
• Key Value Contains: [Normal]
• Incident Mapped With: "alertId"

5. Testing and Validation

• Triggering Alerts:
• Simulate an unauthorized access attempt in IBM Guardium.
• Verify that an incident is created in Callgoose SQIBS with the correct details.
• Resolving Alerts:
• Resolve the security incident in IBM Guardium.
• Confirm that the corresponding incident in Callgoose SQIBS is updated and marked as resolved.

6. Security Considerations

• API Security: Ensure that API tokens are securely stored and protected.
• IBM Guardium Permissions: Confirm webhook permissions allow security event data to be sent to Callgoose SQIBS.
• Data Encryption: Ensure encrypted communication between IBM Guardium and Callgoose SQIBS.

7. Conclusion

This guide provides a comprehensive overview of how to integrate IBM Guardium with Callgoose SQIBS for enhanced database security and automated threat response. By following these steps, organizations can ensure IBM Guardium alerts trigger automated workflows in Callgoose SQIBS, reducing manual intervention and improving security response times.

For further details, refer to:

• IBM Guardium Documentation
• IBM Guardium Documentation
• IBM Guardium Documentation
• IBM Guardium Documentation
• Callgoose SQIBS API Token Documentation
• Callgoose SQIBS API Endpoint Documentation
• API Filter Instructions and FAQ
• How to Send API