Security Information and Event Monitoring (SIEM) products provide real-time analysis of log entries and alerts generated by applications and network hardware. One of those applications can be the IRI Chakra Max database firewall.
As a database activity monitoring, audit and protection (DAM/DAP) system, Chakra Max collects and supports the use of DB access and activity information for its own real-time display, analysis, and alert functions. Chakra Max also supports policy-based block and kill actions, dynamic data masking, and auditing functions.
Adding DB event data to an existing SIEM environment, however, can provide a more holistic view of, and action center for, security in general. There are also ergonomic advantages to working with this data in a familiar, in-use SIEMs like IBM QRadar, SolarWinds, or Splunk Enterprise Security (ES):
For these reasons, IRI is frequently asked if (and how) Chakra Max can interact with those platforms, and what information can be shared with them.
Chakra Max produces an enormous amount of data that is available to Chakra Max users through the Chakra Max Manager application, and to SIEM users through different modes of interaction.
For example, Chakra Max can collect, and share DB access details like these with a SIEM:
Similarly, specific SQL activity may require immediate action through a SIEM:
Still more tables contain Chakra Max alert information, which can be used to synchronize alert policies with the SIEM.
How Chakra Max Feeds SIEMS
Depending on the data needed, Chakra Max can provide it to SIEMs as follows:
Specific Chakra Max Alert policies — mentioned in this article about DB access and activity monitoring — can also be configured to transmit the alert details though the preferred method:
In this case, Chakra Max alert data will be sent to the named log file. Once the data is in that log, it can be indexed into a SIEM like Splunk ES, where custom dashboards accessible in the cloud can reveal details like these:
If you have any questions about Chakra Max, or need help integrating its event data with your SIEM platform, email email@example.com.