Predefined admin reports

Active Risk Spotter - Risky Users Scores

This report details the current risky users, including the server IP, the overall risk score, and scores for all of the risk indicators.

Active S-TAPs changed

This alert runs only on central manager systems. S-TAP host, S-TAP version, S-TAP changed, timestamp, and count are shown.

Admin User Logins

Summary of logins to the database that uses a database username defined in the Admin Users group. The report displays the client IP address from which the user with administrative privileges logged in to the database, database username, source program, session start date and time, and session total for that record.

Aggregation/Archive Log

This report lists Guardium aggregation activity by activity type. Each row of the report contains the activity type, start time, file name, status, comment, Guardium host name, records purged, period start, period end, and the count of log records for the row. You can limit the output by setting the Guardium Host Name runtime parameter, which is set to % by default (to select all servers). The Records Purged column contains a count of records purged only when the activity type is Purge.

All Guardium Applications - Roles

This menu pane displays two reports: All Roles - Application Access - and All Roles; User.

All Roles - Application Access

For each role, this report lists the number of applications to which it is assigned. To list the applications to which a role is assigned, click the role and drill down to the Record Details report.

All Roles - User

For each role, this report lists the number of users to which it is assigned. To list the users to which a role is assigned, click the role and drill down to the Record Details report.

Analytic Outlier Details

Analytic Outlier Details List - enhanced

Analytic Outlier Summary

Analytic Outlier Summary by Date - enhanced

Analytic Threat Case Details

This report presents details of an identified threat case. You need to enter the case ID and the datasource to view the report.

Appliance Settings

This report displays configuration settings from a Guardium system. Use the appliance settings report to quickly review and validate Guardium settings.

Application Objects Summary

This report is a summary of every definition in the Guardium application. For instance, type Oracle in the ObjectNameLike space in the Run-Time Parameters page of Application Objects and find all the Object Types and Object Descriptions where Oracle is used.

Approved TAP clients

Only specific S-TAPs are permitted to connect to the Guardium application. This report shows which S-TAP is approved and the status of it.

Assessment Datasources

This report is a summary of datasources that are linked to a security assessment.

Assessment Roles Allowed

This report is a summary of the roles that are mapped to a security assessment.

Assessment Tests

This report lists the tests that are included in a security assessment.

Available VA Tests

Both reports list all the security assessment tests in the Guardium system where the reports are generated. The Available VA Tests - Detailed report is a more comprehensive version of the Available VA Tests report.

Available VA Tests report

Available VA Tests - Detailed report

Audit Process Log

Audit Process Log

This report shows a detailed activity log for all tasks, including start and end times. This report is available for admin users. Audit tasks show start and end times. However, the start and end of Security Assessments and Classifications (which go to a queue) is the same.

The Audit Process is expanded to the sign off of specific rows beyond a user signing off on the entire audit process. Displays a list of what was signed off and what is the status of specific rows.

Use this Audit Process Log to stop audit processes. Tasks can be stopped only if the tasks did not run or are running. Any more tasks that have not started will not execute. Partial results are not delivered. If tasks are complete, stopping the audit process does not stop the sending of the results. Stopping the audit process is done through a GrdAPI command, invoke api, from the Audit process Log report. For any user, it shows only the line that belongs to the user (but without all the details, just the tasks). Admin users get to see all the details and can stop anyone's runs. Users can stop only their own runs.

Stopping the audit process does not cancel queries that are running using a remote source. Neither will such online reports using a remote source.

Not supported for Privacy sets and External Feed. This means that if the Privacy set task started or the External Feed started, it finishes even if the process is stopped (as opposed to a query, which is killed).

Audit Process Log ID

Login Name

Run ID

Timestamp

Audit Process ID

Audit Process Description

Audit Task ID

Audit Task Description

Event Type

Detail

Count of Audit Process Log

Available Patches

Displays a list of available patches. There are no runtime parameters. The reporting domain is system-only.

Audit Job Task Security Assessment

Displays the definition of the audit process job and the task name that runs a security assessment.

Buffer Usage Monitor

Provides an extensive set of buffer usage statistics. For more information, see BigData Intelligence Buff Usage Monitor domain.

Cassandra DB Object privileges granted to grantee

Lists all the Cassandra DB Object privileges that are granted to users and roles.

Cassandra Object privileges granted with grant option

Lists all the Cassandra users and roles with Object privileges that can be granted to another user.

Cassandra Role granted to User Role

Lists all the Cassandra roles that are granted to a user.

Cassandra SuperUser Role

Lists all the Cassandra users with a SuperUser role.

CAS Deployment

This CAS reports details the database type, OS name, hostname, and OS type.

Changes (CAS)

CAS Change Details

For each monitored item, the changes are listed in order by owner.

CAS Saved Data

This report lists the data saved for each change detected. This report is sorted by host name, and then by the most recent modification time.

Configuration (CAS)

CAS Instances

This report lists CAS instance definitions (a CAS instance applies a template set to a specific CAS host). The default sort order for this report is nonstandard. The sort keys are, from major to minor: Host Name (ascending), Instance (ascending), and Last Status Change (descending).

CAS Instance Config

This report lists CAS instance configuration changes. The default sort order for this report is nonstandard. The sort keys are, from major to minor: Host Name (ascending), Instance (ascending), and Last Status Change (descending). You can limit the output by using any of the following runtime parameters, which select all values by default.

Connection Profiling List

The Connection Profiling List is a group of all allowed connections. (The Connection Profiling List shows all connection details.)

Connections Quarantined

Guardium policies can be used to terminate or quarantine connections in real time. Use threshold alerts, based on queries. See Quarantine under the Policies topic for configuration instructions.

CPU Tracker

Lists the Software TAP Host and number of CPUs on machines running S-TAPs.

CPU Usage

By default, displays the CPU usage for the last two hours. This graphical report is intended to display recent activity only. If you alter the Period From and Period To runtime parameters to include a larger time frame, you might receive a message that indicates there is too much data. Use a tabular report to display a larger time period.

Databases by Type/Number of DB per type

Server type and client sources for each database type monitored.

Databases Discovered

For the reporting period, for each discovered port entity where the DB Type attribute value is NOT LIKE Unknown, this report lists the probe timestamp, server IP, server host name, database type, port, port type, and count of discovered ports for the row.

Datamart Extraction Log

The extraction log has data about both table and file extractions. It presents the data mart name, collector IP, server IP, from-time, to-time, ID, run started, run ended, number of records, status, and error code.

Data Sources

Lists all defined data sources, including the type, name, description, host, port, service name, username, database name, last connect, shared, and connection properties.

You can restrict the output of this report using the Data Source Name runtime parameter, which by default is set to “%” to select all data sources.

Days not exported or archived

This report lists the days whose data was not exported or archived, for a system that has a daily archive or export, and if Allow purge without exporting or archiving is not selected. For more details, see Viewing days whose data was not archived or exported.

DB Users Mapping List

The mapping between database users (invokers of SQL that caused a violation) and email addresses for real-time alerts.

Default DB Users Enabled

This report details the default users found enabled after a database scan through the group of default users and list of servers supplied to the Non-credential Scan API. When an enabled user is found within a database, that occurrence of database/user is reported only once. Subsequent scans update the timestamp and database version of the database. If a subsequent scan does not find a previously found user, the timestamp remains unaffected to keep a history with the last time the user was found enabled on a database. Scans are run under the Classifier Listener and submitted jobs (with the non_credential_scan API) might be tracked using the Guardium Job Queue report.

Definitions Export/Import Log

This report lists Guardium export/import activity by Activity Type. Each row of the report contains the activity type, start time, file name, status, comment, and count of log records for the row.

Discovered Instances

This S-TAP report details the following information:

Timestamp, Host, Protocol, Port Min, Port Max, KTAP DB Port, Instance Names, Client, Exclude Client, Proc Names, Named Pipe, DB Install Dir, Proc Name, DB2® Shared Mem Adjustment, DB2 Shared Mem Client Position, DB2 Shared Mem Size, Unix Socket, DB User, DB Version.

Columns are populated as relevant, according to the database type.

Discovered Instances Rules Add or Replace Log

This report details the following information: Timestamp, Host, Result, Report Only.

Discovered Instances Rules Results

This report details the following information:

Timestamp, Host, Result Message, Result Type, Report Only, Identifier, Discovered, Protocol, Port Min, Port Max, Instance Name, Named Pipe, DB Install Dir, Proc Name, DB2 Shared Mem Adjustment, DB2 Shared Mem Client Position, DB2 Shared Mem Size, Unix Socket, DB User, DB Version.

Dropped Requests

Tracks requests dropped by an inspection engine (Exception Description = Dropped database request). Under extremely rare, high-volume situations some requests might be lost. When this happens, the sessions from which the requests were lost are listed in the Dropped Requests report.

Enterprise S-TAP® Association History

Enterprise S-TAP Association History reports on how long the S-TAP reported to the specific Guardium system in the Load balancer environment.

To see this report, you must schedule the CustomTableStapAssocicationJob. (It is not automatically scheduled by default.) For example, to schedule this job to run hourly, run the command: grdapi schedule_job cronString="0 0 0/1 ? * 1,2,3,4,5,6,7" jobType="customTableStapAssocication"

If you set the job to run hourly, you see S-TAP association changes with a one hour delay. If you need to see the changes sooner, you can schedule this job to run at more frequent intervals. However, there can be a tradeoff in central manager environments with a large number of S-TAPs, between frequency of reports and load on the system. If the S-TAPs move frequently, running this job every five minutes might burden the central manager. Set the frequency according to your needs, and your environment. To set the job to run every five minutes, run the command: grdapi schedule_job cronString="0 0/5 0/1 ? * 1,2,3,4,5,6,7" jobType="customTableStapAssocication"

Enterprise Buffer Usage Monitor

This report shows the aggregate of sniffer buffer usage from all managed units. There is a need to set the schedule for the upload. See the description of the Sniffer Buffer Usage entity for a description of the fields listed on this report.

Enterprise S-TAP (Detailed) View

See S-TAP Info (Central Manager) for information on this report.

Enterprise S-TAP View

See S-TAP Info (Central Manager) for information on this report.

Exception Count

For the reporting period, the total number of exceptions logged.

Export Sensitive Data to Discovery

Guardium and InfoSphere® Discovery have mechanisms for the Classification of Sensitive Data.

A bidirectional interface is provided to transfer the identified sensitive data from Guardium to InfoSphere Discovery and from InfoSphere Discovery to Guardium.

This data is transferred through CSV files. See External data correlation for further information.

External Tickets

Displays details of tickets that are created in Guardium and sent to external sources such as ServiceNow or Resilient.

FAM Config Change

Displays details about the changes in the File Activity Monitor (FAM) configuration.

FAM Progress

Full SQL

This report summarizes SQL commands performed by the user, or run on the database (depending on the source).

Full SQL - Data Tampering

This is a filtered view of the full SQL report, showing only the results for data tampering.

Full SQL - Massive Grants

This is a filtered view of the full SQL report, showing only the results for massive grants.

Full SQL - Possible data leak

This is a filtered view of the full SQL report, showing only the results for possible data leaks.

Full SQL - Schema tampering

This is a filtered view of the full SQL report, showing only the results for schema tampering.

Full SQL By Client IP

Full SQL by DB User

Guardium Job Queue

Displays the Guardium Job Queue. Previously known as Classifier/Assessment Job Queue. For each job, it lists the Process Run ID, Process Type, Status, Guardium Job Process Id, Report Result Id, Guardium Job Description, Audit Task Description, Queue Time, Start Time, End Time, and Data Sources.

The job queue

Assessments and Classifications run in their own separate process called the job queue. Jobs are queued and have their status maintained while a listener periodically polls the queue to look for waiting jobs to run.

Stopping

Running jobs, when right-clicked for drill-down, there is an option to stop the running job and cancel it. The job cannot be restarted at this point.

Halting

Running jobs are monitored to reduce the number of hung jobs that might cause the job queue to be come overloaded. If a job is inactive for 30 minutes, the listener is terminated and restarted, effectively stopping the operation of a job. Before the listener is restarted, a process called the cleaner runs, the status is set from RUNNING to HALTED, and then the listener is restarted. A status of HALTED means the job was not able to run to completion.

Resubmitting

Sometimes the listener gets restarted for reasons other than a job hanging. For example, rebooting the machine. When the cleaner halts the running jobs, it sees whether the job responded in the past 8 minutes. If it has, the job is copied and that copy is resubmitted into the job queue. The original halted job still displays in the queue, and still has the results it was able to process available.

Monitoring

The mechanism by which jobs maintain their active status is by touching the timestamp on the job queue record. It is important to note that the job queue record is used for the entire job. Each individual classifier rule or assessment test interacts with the timestamp for its parent process, and they do not have individual timestamps that are monitored.

The classifier will update its timestamp before every rule is tested and after every SQL operation. For example, if the classifier is scanning the data in a database that supports paging, it will touch the timestamp after each batch of data is brought back from the database. This is because, depending on the state of the target database, the classifier has the potential to invoke some long-running queries that are limited to 30 minutes of execution.

Assessments touch the timestamp after each test in the assessment is evaluated. Most assessment tests run in a few seconds or less.

Observed Tests

The exception to the relatively quick-running assessment tests is the category of observed assessment tests. These tests are based on queries and reports that use the internal sniffing data on the Guardium appliance, can run for longer periods of time, and are unable to update the timestamp while they are in process. Therefore, observed assessment tests have their timestamps set two hours into the future when they are started, essentially giving them two hours and thirty minutes to run to conclusion. This can be confusing when you look at the job queue and see the timestamp set to a time in the future. Just like any other assessment test, when the observed test ends, the timestamp is touched. If the next test is an observed test, the timestamp is once again set two hours into the future. Otherwise, the timestamp is set to the current time.

Guardium usage summary

Displays a list of S-TAP hosts, number of processors per the Guardium License Metric Tool (ILMT), and the estimated number of processor value units (PVUs).

To calculate the accurate number of PVUs, see https://www-112.ibm.com/software/howtobuy/passportadvantage/pvucalculator/pvucalc.wss

GIM Clients Status

Displays a list of GIM clients, including the client name, OS, vendor, installation date, module name, module version, module state, module schedule, and the system the GIM module reports to.

GIM Events List

Displays a list of GIM Events.

GIM Installed Modules

Group Usage Report

Displays the list of all defined groups and all the entities that rely on each group.

Guardium API Exceptions

Displays a timestamp and description of all GuardAPI exceptions. These are jobs where the Exception Type ID is GUARD_API_EXCEPTION.

Guardium entitlement consolidation report (using ILMT)

This report provides details on active/inactive S-TAP installed on the data server. If the ILMT agent is installed, the report shows the processors value of the data server. If the ILMT agent is not installed, the processor value is blank. This report helps indicate the processor value of the server with an installed, and active S-TAP. The ILMT agent provides the processor value once an ILMT agent is installed; this report does not replace ILMT requirements in any sense (Follow ILMT compliance and audit requirements).

Guardium Group Details

For the reporting period, each row of the report lists a group member. The columns contain the following information: Group Description, Group Type, Group Subtype, Timestamp (from the Group Member entity), Group Member, and count of Group Member entities for the row. The value of the timestamp is set to the current time whenever the record is updated.

You can restrict the output of this report using the runtime parameters, both of which are used with the LIKE operator and a default value of %, which selects all values.

Guardium Users

Lists each user, date of last activity, and number of roles assigned. For each user, you can drill down to the Record Details report to see the roles assigned to that user.

Host History (CAS)

This report lists CAS host events. The default sort order for this report is nonstandard. The sort keys are, from major to minor: Host Name (ascending), Instance, and Event Time (descending).

Inactive Inspection Engines

Lists all inactive inspection engines

Inactive S-TAPs Since

Lists all inactive S-TAPs defined on the system. It has a single runtime parameter: Period From, which is set to now -1 hour by default. Use this parameter to control how you want to define inactive. This report contains the same columns of data for the S-TAP Status report with the addition of a count for each row of the report.

Installed Patches

Displays the patches: Patch Number, Guardium Version, Patch Description, Patch Dependencies, Creation Date, Request Received, Installed By, Status, Status Description, Timestamp, Requested Schedule.

Logged R/T Alerts

For the reporting period, the total number of logged real-time alerts, listed by rule description.

Logged Threshold Alerts

For the reporting period, the total number of threshold alerts logged.

Logging Collectors (valid only from aggregation unit)

The Logging Collectors report appears under the Daily Monitor Tab and it is valid only on an aggregator unit. This report shows the number of sessions per Server IP, per collector and per day. For example: on 19 May, aggregator #1 collected 100 sessions for Server 192.168.x.x1, 50 sessions for Server 192.168.x.x2; aggregator #2 collected 30 sessions for Server 192.168.x.x3, 90 sessions for Server 192.168.x.x4; and so on.

Logins to Guardium

All values for this report are from the Guardium Logins entity. For the reporting period, each row of the report lists the User Name, Login Succeeded (1= Successful, 0=Failed, -1 =password expired, -2 = login from different IP), Login Date And Time, Logout Date And Time (which is blank if the user has not yet logged out), Host Name, Remote Address (of the user) and count of logins for the row.

Managed Units (Central Manager)

Enterprise report on a Central Manager that shows which managed units are up. Use this report in a Statistical Alert to send an email to an ADMIN anytime a managed unit is down.

NAS File Activities

Displays details about the file activity in Network-Attached Storage (NAS) devices.

Number of Active Audit Processes

Number of active Guardium audit processes. When central management is used, this report contains data only on the Central Manager, and is empty on all managed units (the standard message of No data found for requested query displays). There are no runtime parameters for this report.

Oracle Unified Audit Activity

This report presents the server, client, and database details for the logged Oracle traffic.

Oracle Unified Audit (S-TAP configuration) Activity

This report shows details of the S-TAP and host configurations for Oracle Unified Auditing, the data pull interval and number of rows, and the timeout.

Outstanding Audit Process Reviews

Number of outstanding Guardium audit processes, listed by Guardium users.

Primary Guardium Host Change Log

Log of primary host changes for S-TAPs. The primary host is the Guardium unit to which the S-TAP sends data. Each line of the report lists the S-TAP Host, Guardium Host Name, Period Start, and Period End.

Query Entities and Attributes

This report lists all the entities and attributes in Guardium reports and was created to simplify the linkage between the Guardium attributes to the GuardAPI calls.

Use this report to also invoke Use this report to also invoke create_constant_attribute, create_api_parameter_mapping, delete_api_parameter_mapping, or list_param_mapping_for_function.

Replay Statistics

This report shows Replay Statistics for Execution Start/End Date, Configuration Name, Schedule Setup Name, Job Status, Statistic Description, Session ID, Successful Queries, Failed Queries, Total Queries; Type, and Active/Waiting/Completed Tasks.

Replay Summary

For the reporting period, a measure of what query failed or succeeded. Checkmark required in Replay Configuration for Query Failed or Query Succeeded.

Request Rate

By default, displays the request rate for the last two hours. This graphical report is intended to display recent activity only. If you alter the runtime parameters to include a larger time frame, you might receive a message indicating that there is too much data. Use a tabular report to display a larger time period.

Restored Data

This report has two columns: RESTORED_DAY and EXPIRATION_DATE. When the user restores data from archive, this table is populated according to the data restored and the duration specified for keeping this data. The purge process looks at this table to determine what data can be purged and cleans up records that expired. RESTORED_DAY is the date of the data that was restored and is in the past. EXPIRATION_DATE is the date when this data will be purged and is a date in the future.

Risky Users - Connection Profiling List

This report is the Connection Profiling List, filtered for risky users.

Risky Users - Policy Violation

This report is the Policy Violation, filtered for risky users.

Risky Users - SQL Errors

This report is the SQL Errors report, filtered for risky users.

Scheduled Job Exceptions

Displays a timestamp and the description for each scheduled job exception (including assessment errors). These are jobs where the Exception Type ID is one of the following: SCHED_JOB_EXCEPTION, ASSESSMENT_EXCEPTION, or ASMT_ERROR.

Scheduled Jobs

Displays the list of currently scheduled jobs.

Session Count

For the reporting period, the total number of different sessions open.

SharePoint File Activities

Displays details about the file activity in a SharePoint environment.

SQL Count

For the reporting period, the total number of different SQL commands issued.

S-TAP Agent Upgrade Pre-Check

Before starting a GIM upgrade, you can check whether any of the database servers that host Linux-UNIX® S-TAP agents need to be rebooted during the S-TAP upgrade. This check is for GIM upgrades only; it does not cover any other upgrade scenarios.

If the bundles were installed from the managed unit, run the report on the managed unit. If all clients are managed by the central manager (all GIM clients point to the central manager, which is best practice and the recommended setup), run the report from the central manager. The reboot status of GIM clients that point to a managed unit is not captured in a report that is run on the central manager. Verify that the GIM agent is installed on the database server before you run the report (relevant for upgrades from a non-GIM installation). (None of the other modules or bundles need to be installed). All database servers that are listed in the report need to be rebooted.

There are no runtime parameters. This reporting domain is system-only.

Columns: S-TAP Host, Installed by GIM, GIM Parameter Name, Live Update.

S-TAP Configuration Change History

This report is displayed only when an inspection engine is added or changed. It lists the S-TAP configuration changes; each inspection engine change appears on a separate row. Each row lists the S-TAP Host, DB Server Type, DB Port From, DB Port To, DB Client IP, DB Client Mask, and Timestamp for the change.

S-TAP Events

Use this report for information on the S-TAP (from SOFTWARE_TAP_EVENT table in internal database).

S-TAP Info (Central Manager)

On a Central Manager, an additional report, S-TAP Info, is available. This report monitors S-TAPs of the entire environment. Upload this data using the Custom Table Builder.

S-TAP Info is a predefined custom domain, which contains the S-TAP Info entity and is not modifiable like the entitlement domain.

When defining a custom query, go to the upload page and click Check/Repair to create the custom table in the CUSTOM database, otherwise save query does not validate it. This table loads automatically from all remote sources. A user cannot select which remote sources are used. It pulls from all of them.

Based on this custom table and custom domain, there are two reports:

Enterprise S-TAP View shows, from the Central Manager, information on an active S-TAP on a collector and/or managed unit. (If there are duplicates for the same S-TAP engine, one being active and one being inactive, then the report uses only the active.)

Detailed Enterprise S-TAP View shows, from the Central Manager, information on all active and inactive S-TAPs on all collectors and/or managed units.

If the Enterprise S-STAP View and Detailed Enterprise S-TAP View look the same, it is because there is only one S-TAP on one managed unit that is displayed. The Detailed Enterprise S-TAP View looks different if there are more S-TAPs and more managed units involved.

There is an Alert: Inspection Engines and S-TAP that alerts once a day on any activity related to inspection engine and S-TAP configuration. See Predefined Alerts.

S-TAP Last Response

Pre-defined query and report are available, but not added to any panels.

The query/report displays All S-TAP Hosts and the last response (heartbeat) sent by each host.

The purpose of this query is to be able to define an alert that triggers when an S-TAP on a host did not respond for a given period of time.

The input parameters are Last Response From and Last Response To.

For example, when executed with Last Response From = NOW -5 DAYS and Last Response To = NOW - 3 HOURS, it displays the host name and the last response time for those hosts that sent the last response in the last 5 days, but had no response in the last 3 hours.

S-TAP Status

Displays status information about each inspection engine that is defined on each S-TAP Host. This report has no From and To date parameters, since it is reporting current status. Each row of the report lists all the Guardium Hosts, DB Exec File, DB Server Type, Status, Last Response, Primary Host Name, Yes/No indicators for the following attributes: KTAP Installed, Shared Memory Driver Installed, DB2 Shared Memory Driver Installed, Named Pipes Driver Installed, and App Server Installed. In addition, it lists the Hunter DBS.

S-TAP Status Monitor

For each S-TAP reporting to this Guardium appliance, this report identifies the S-TAP Host, S-TAP Version, DB Server Type, Status (active or inactive), Last Response Received (date and time), Primary Host Name, and true or false indicators for KTAP, MS SQL Server Shared Memory, DB2 Shared Memory, Local TCP monitoring, Named Pipes Usage, and Encryption; and the Guardium Hosts column that lists all hosts.

This report has no runtime parameters, and is based on a system-only query that cannot be modified.

S-TAP Uninstall Events

Uninstalling an S-TAP might be evidence of harmful activity. This report details S-TAP uninstall events.

S-TAP Verification

List all results of S-TAP verification, including DB server type, Inspection engine identifier, Port range, Last response from S-TAP, Inspection engine status, Last verification time, Verification schedules, Next scheduled time, Datasource name, Datasource description, Verification type, Instance name, KTAP, MSS shm, WinDb2 shm, Win TCP, Pipes, Encrypted?, Firewall installed, DB install dir, Load balancing, Alternate IPs, TLS, DB Exec File.

STAP/Z Files

STAP/Z provides files with raw data collected from DB2 (on z/OS®) containing DB2 events, SQL statements, and so on. This report lists an Interface ID, UA file name (Un-normalized Audit Event), UT file name (Un-normalized Audit Event text), UH file name (Un-normalized Audit Event host variables), File Status, Total Number of Events Processed, Number of Events Failed, and Timestamp. The Run-time parameters are FileName Like % and FileStatus Like %.

This report has two runtime parameters, FileName Like % and FileStatus Like %. It is based on a system-only query that cannot be modified.

Symptoms

TCP Exceptions

For the reporting period, for each exception where the Exception Description of the Exception Type entity is TCP/IP Protocol Exception, a row of this report lists the following attribute values from the Exception entity: Exception Timestamp, Exception Description, Source Address, Destination Address, Source Port, Destination Port, and count of Exceptions for that row.

Templates (CAS)

This report lists CAS templates. By default, all template items are listed.

Test Detail Exception

This report lists all the test detail exceptions that are applied to a security assessment.

Test Exceptions Original report and Test Exceptions report

Both reports indicate pairs of tests and datasources that are exempted temporarily. The Test Exceptions report is a more comprehensive version of the Test exceptions Original report.

Test Exceptions Original report

Test Exceptions report

Threat analytics case for analysis

When a case is assigned in the active threat analytics page, this report is sent to the assignee. It includes the case details and its observations.

Threat Analytics Case Observations

This is a drill down report from the open cases and the closed cases reports. It shows the case's observations.

Threat analytics closed cases

Threat analytics open cases

Threat finder run log

This report provides the results of the threat finder runs.

Throughput

For each Access Period in the reporting period, each row lists the Period Start time, the count of Server IP addresses, and the total number of accesses (Access Period entities).

You can restrict the output of this report using the Server IP runtime parameter, which by default is set to % to select all IP addresses.

Throughput (graphical)

This report is a Distributed Label Line chart version of the tabular Throughput report. It plots the total number of accesses over the reporting period, one data point per Period Start time.

You can restrict the output of this report using the Server IP runtime parameter, which by default is set to % to select all IP addresses.

User Activity Audit Trail Reports

User Activity Audit Trail

For the reporting period, for each User Name seen on a Guardium User Activity Audit entity, each row displays the Guardium User Name, an Activity Type Description (from the Guardium Activity Types entity), a Count of Modified Entity values, the Host Name, and the total number of Guardium Activity Audits entities for that row.

From any row of this report, the Detailed Guardium User Activity report is available as a drill-down report.

System/Security Activities

Within the reporting period, for each username that is seen on a Guardium User Activity Audit entity, each row displays the Guardium User Name, an Activity Type Description (from the Guardium Activity Types entity), a Count of Modified Entity values, the Host Name, and the total number of Guardium Activity Audits entities for that row.

From any row of this report, the Detailed Guardium User Activity report is available as a drill-down report.

Detailed Guardium User Activity (Drill-Down)

This report is not available from the menu, but can be opened for any row of the User Activity Audit Trail report, or the System/Security Activities report. For the selected row of the report, based on the User Name and Activity Type Description, this report lists the following attribute values, all of which are from the Guardium User Activity Audit entity, except for the Activity Type Description, which is from the Guardium Activity Types entity: User Name, Timestamp, Modified Entity, Object Description, All Values, and a count of Guardium User Activity Audits entities for the row.

User Comments - Sharable

Sharable user comments are all comments except for inspection engine, installed policy, and audit process results comments. For each sharable user comment, this report lists the date created, the type of object referenced (an alert, for example), the object description, the user who created the comment, and the contents of the comment.

User To-Do Lists

Displays for each Guardium audit process: a description, login name, action required (review or approve), status, user who signed or reviewed, and execution date of the specified task.

Unit Utilization Levels

Values Changed

The query that this report is based on has several runtime parameters, all of which use the LIKE operator and default to the value %, which means all values are selected.

For each monitored value selected, a row of the report lists the Timestamp, Server IP, DB Type, Service Name, Database Name, Audit Login Name, Audit Timestamp, Audit Table Name, Audit Owner, Audit Action, Audit Old Value, Audit New Value, SQL Text, Triggered ID, and a count of Change Columns entities for that row.