External data correlation

This topic describes creating and managing custom tables and custom domains, for importing enterprise information to use with existing Guardium internal data.

You might have valuable information in various databases in your environment. It can be useful for an audit report to correlate relevant information from your databases with the data that is collected by Guardium. You can create custom tables on Guardium that combine enterprise information with existing Guardium internal data. You can then create queries for this information as if it were predefined data.

For example, you have a table that contains all employees, their database usernames, and the department to which they belong (such as, Development, Financial, Marketing, or HR). You can upload this table and all its data, and cross-reference this table with Guardium's internal tables. You can then see, for example, which employees from Marketing are accessing the financial database (which might constitute a suspicious activity).

For more information about data marts, see Data Mart.

Custom tables

Browse to the Custom Table Builder by using one of the following paths:
  • Comply > Custom Reporting > Custom Table Builder
  • Reports > Report Configuration Tools > Custom Table Builder

A custom table contains one or more attributes that you want to have available on the appliance. By uploading data for that table from an existing table, you can relate the encoded and real names.

Before you define a custom table, verify that the data you need from the existing database is a supported data type. A data type is supported if it is taken as one of the following SQL type by the underlying JDBC driver: INTEGER, BIGINT, SMALLINT, TINYINT, BIT, BOOLEAN, DECIMAL, DOUBLE, FLOAT, NUMERIC, REAL, CHAR, VARCHAR, DATE, TIME, TIMESTAMP. The following table summarizes some of the supported and unsupported data types for uploading to a custom table.

Enterprise reports with custom tables: If for any reason, the central manager did not receive data from a managed unit for the custom table in an enterprise report in the last 24 hours, the Guardium® UI banner displays the message:
Central manager experienced failure getting data from collector. Central manager experienced error in the last 24 hours uploading data from collector. It's logged in both the log named cmDataUpload.log and the following report
Click the report name to open the Scheduled Jobs Exceptions report and view details of the managed units that had exceptions.

Supported and unsupported data types for custom tables

Use this table to see the supported and unsupported data types for certain databases.

Table 1. Supported and Unsupported Data Types for Custom Tables
Databases Supported Data Types Unsupported Data Types
Oracle float number char varchar2 date nchar nvarchar2 long clob raw nclob longraw bfile rowid urowid blob
DB2® char varchar bigint integer smallint real double decimal date time timestamp blob clob longvarchar datalink
Sybase char nchar varchar nvarchar int smallint tinyint datetime smalldatetime text binary varbinary image timestamp
MS SQL bigint bit char datetime decimal float int money nchar numeric nvarchar real smalldatetime smallint tinyint smallmoney varchar unique identifier text
Informix® char nchar integer smallint decimal smallfloat float serial date money varchar nvarchar datetime text
MySQL bigint decimal int mediumint smallint tinyint double float date datetime timestamp time year char binary enum set longtext tinyblob tinytext blob text mediumblob mediumtext longblob longtext
Note: Blob value (even a value of 1 K) in dynamic SQL can be captured, but same size blob value in static SQL cannot be captured.

Archiving and restoring custom tables

From the Custom Table Builder, select a table to manage and then select Purge/Archive to open the Custom Table Data Purge page.

Click Archive to include the data in the custom table in the normal data archive. The selected custom table data is archived according to the date in SQLGUARD_TIMESTAMP column of the custom table.

You can archive data from either a collector or an aggregator.

When you prepare archived data to restore, keep in mind the following points:
  • You can restore data to any collector or aggregator that is managed by the same central manager as the source collector. The metadata must be available or the custom table data cannot be restored.
  • Data that is archived from an aggregator can be restored to any aggregator managed by the same central manager as the source aggregator.
  • If the custom table structure changes between the archive time and the restore time in a way that results in an SQL error (for example, columns are removed or the type changes), then a warning message appears on the aggregation/archive activity report and the data is not restored.
  • If a custom table is included in the default purge, then the restored data is kept for the number of days that are specified on the restore screen.
  • If the custom table is set to overwrite data when it uploads, then restored data is deleted when the upload occurs.

Custom domains

A custom domain contains one or more custom tables. If it contains multiple tables, you define the relationships between tables when you define the custom domain.

Custom queries

A custom query accesses data from a custom domain. Use the Custom Query Builder to create queries against custom domains. Custom queries can then be used like any other query to generate reports or audit tasks, populate groups, or to define aliases.

Database entitlement reports

DB Entitlement Reports use the Custom Domain feature to create links between the external data on the selected database with the internal data of the predefined entitlement reports. See topic, Link External Data to Internal Data, on this subject. For more information about using predefined database entitlement reports, see Running database entitlement reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.

LDAP import into custom tables

Enrich Guardium tables with LDAP data by using an LDAP server as a datasource. Retrieve and configure LDAP attributes that can be used to customize reports.

  1. Open the Custom Table Builder.
  2. To create a new table definition, click Manually Define and define the entity. For more information, see Manually defining a table definition.
  3. From the Custom Table Builder screen, select your custom table definition and click LDAP Import.
  4. Click new to create a new LDAP datasource.
    • From the Configuration tab, specify the LDAP connection information and define the Base DN. The Base distinguished name (DN) specifies the starting point of the search in the LDAP tree. Optionally include a search filter in LDAP search syntax. For example, objectClass=person.
    • Click the Mapping tab to map the columns of the custom table to the LDAP fields.
    • Click the Schedule tab and add a schedule to import the LDAP data.
    • Click Save to save the configuration.
  5. To import data, select the LDAP Host from the LDAP configurations screen and click Run Once Now or wait for the schedule that you defined.
    Tip: To view the imported LDAP data, click the LDAP datasource from the Custom Tables list, and click Edit Data.

The custom table now has LDAP data that can be used to create custom reports.

You can configure custom tables for LDAP in the Guardium CLI by using the following GuardAPI commands:

To import an existing table structure, see Uploading a table definition.

Uploading a table definition

Create a custom table by the uploading a table definition. You can access the table's metadata from the database server on which the metadata is defined.

Note: Custom Tables uploaded to Guardium are optional components enabled by product key. If these components are not enabled, the Custom Tables choices listed do not display in the Custom Table Builder selection.
  1. From the Custom Table Builder, click Upload Definition to open the Import Table Structure page. It is not necessary to select an item.
  2. Enter a description for the table in the Entity desc field. This is the name you use to reference the table when you create a custom query.
  3. Enter the database table name for the table in the Table Name field. This is the name you use to create the table in the local database.
  4. Enter a valid SQL statement for the table in the SQL Statement field. The result set returned by the SQL statement must have the same structure as the custom table that you define. For example, if the custom table contains all columns from the table named my_table, enter  select * from my_table.
    Note: Do not include any newline characters in the SQL statement. All columns must be explicitly named; if needed, use a column alias.
  5. Click Add Datasource to open the Select datasource window. From Select datasource, you can define where the external database is located, and the credentials that are needed to retrieve the table definition and content later in the process.
  6. Use Select datasource to identify the database from where you will upload the table definition.
  7. Click Retrieve to upload the table definition. The SQL statement runs and retrieves the table structure. The SQL request is sent to the external database from the Guardium system. Remember that only the definition is being uploaded. You can upload data later.

Manually defining a table definition

  1. From the Custom Table Builder, click Manually Define to open the Define Entity panel.
  2. Enter a description for the table in the Entity desc field. This is the name you will use to reference the table when creating a custom query.  Use of the special characters \$|&;'`" are not allowed in the entity description.
  3. Enter the database table name for the table in the Table Name field. This is the name you will use to create the table in the local database.
  4. For each column in the table to be defined:
    • Enter a name in the Column Name box. This will be the name of the column in the database table.
    • Enter a name in the Display Name box. This is the name you will use to reference the attribute in the Custom Domain Builder and the Custom Query Builder.
    • Select a data type (Text, Date, Integer, Float, or TimeStamp).
    • For a Text attribute, enter the maximum number of characters in the Size box. (The Size box is not available for other data types.)
    • If uniqueness is to be enforced on the column, check the Unique box.
    • If the attribute being defined corresponds to a group type, select that group type from the Group Type list.
    • Click Add to add the column.
  5. Use the Entity Key drop-down list to identify which column will be used as the entity key. The Entity Key is used in the query builder when selecting count.
  6. If additional changes are made after the Add button, such as deletion of a column, or changing an attribute, Click Apply to save any changes.
  7. Click Done when you have added all columns for the table.

Modifying a table definition

If you modify the definition of a custom table, you may invalidate existing reports based on queries using that table. For example, an existing query might reference an attribute that has been deleted, or whose data type has been changed. When applying changes to a custom table, if any queries have been built using attributes from that table, the Queries are displayed in the Query List panel. Note: You can also use the Modify to view and validate the table structures that were imported.

  1. From the Custom Table Builder, select the custom table to modify.
  2. Click Modify to open the Modify Entity page.
  3. For information about modifying a table definition, see Manually defining a table definition.
  4. After you apply changes to a custom table, if any queries might be invalid due to changes to attributes from that table, the queries are displayed in the Query List page. Use Query List to choose and change queries. You do not have to make all changes immediately as you can always come back and use the Check for Invalid Queries option.

Invalid queries

If you modify the definition of a custom table, you may invalidate existing reports based on queries using that table. For example, an existing query might reference an attribute that has been deleted, or whose data type has been changed. It is a good idea to check for invalid queries after the table modification process.

  1. From the Custom Table Builder, click Invalid Queries.
  2. The queries are displayed in the Query List panel. Use Query List to choose and change queries.

Purging data from a custom table

Data can be purged from custom tables on the Guardium server on demand, or on a scheduled basis.

  1. From the Custom Table Builder, select a custom table to purge.
  2. Click Purge to open the Custom Table Data Purge panel.
  3. Click Purge All to purge now.
    Note: Run once now purge will look at the RESTORED_DATA table for retention. Purge ALL will purge all records that are deleted without checking the retention.
  4. In the Configuration panel, enter the age of the data to be purged, as a number of days, weeks or months prior to the purge operation date.
  5. Click Run Once Now to run a schedule purge operation once.
  6. Click Modify Schedule to open the standard Schedule Definition panel and schedule a purge operation.
  7. Click Done to close the panel.

Uploading data to a custom table

  1. From the Custom Table Builder, click on the name of the table whose data you want to upload.
  2. Click Upload Data to open the Upload Data page.
  3. In the SQL statement box, enter a valid SQL statement for the table. The result set returned by the SQL statement must have the same structure as the custom table defined. For example, if the custom table contains all columns from the table named my_table, enter  select * from my_table.
    Important: Different SQL databases have unique syntax requirements. For example, compare the following SQL statements for uploading from an Oracle database and uploading from a Microsoft SQL Server database:
    # Oracle example
    select * from xxx WHERE col1 > TO_DATE('^FromDate^', 'YYYY/MM/DD HH24:MI:SS');
    
    #Microsoft SQL Server example
    select * from xxx WHERE col1 > CONVERT(DATETIME,'^FromDate^');

    To create a functional SQL statement for uploading data, test the statement outside of Guardium with the SQL interface of the specific database being used.

    Do not include any newline characters in the SQL statement.

    The following fields, which are internal to Guardium, are available for use within SQL statements:
    • ^FromDate^ and ^ToDate^ where the value is equal to the previous upload date and the current upload date, respectively.
    • ^fromID^ where the value is equal to the maximum value of the ID column from the previous upload.
      Important:
      • When you use ^FromDate^ or ^ToDate^ do not specify an Id column name.
      • When you use ^fromID^, specify an Id Column name and Id column type.
  4. If using ^fromID^ specify the ID column name and Id column type for the table defined within the datasource. The specified column name is used for tracking by ID.
  5. In the DML command after upload box, enter a DML command (an update or delete SQL statement) with no semicolon, to be executed after uploading the data.
    Note: Do not include any newline characters in the SQL statement.
  6. To configure Overwrite Default Purge, select Per upload to purge data in the custom table before the upload. Select Per datasource to purge data for that datasource before the upload.
  7. Check Default Purge (in the Upload Custom Data screen) to be part of the Default Custom Table Purge Job purge object which has an initial default age of 60 days. To add a purge schedule for this table, go to initial Custom Table Builder page, select a custom table and click Purge to open a Custom Table Data Purge configuration screen.
  8. Check the Use default schedule box only if uploading tables from previous versions of Guardium. This check box only appears in a central manager view and only for the following predefined custom tables: CM Buffer Usage Monitor, Enterprise No Traffic, S-TAP Changes, and S-TAP Info.
  9. Click Add Datasource to open the Select Datasource page. From Select Datasource you can identify one or more databases from which to upload the table data. You can add multiple datasources to upload from multiple sources.
    Notes:
    • For a central manager, on the Import Data page, you can select Include default source. If this box is checked, upload data iterates through all online registered managed units.
    • When adding a datasource, the application cannot be scheduled to run without specifying the user name and password of the selected datasource.
  10. You can click Check/Repair to compare the schema of the custom table to the schema of the meta-data. In a central management environment, the custom table definition resides on the central manager, and the custom table may not exist on the local (managed unit) database. Click the Check/Repair button to check if the custom table exists locally, and create one if it does not.
  11. Click Verify Datasources to test the external database connection. An acknowledgment screen will appear.
  12. Click Apply.
  13. To upload data to this custom table, do one of the following:
    • Click Run Once Now to upload data manually.
    • Check Modify schedule to configure the schedule.

Maintaining custom tables

When following the procedure for creating a Custom Table (detailed previously) and selecting a predefined custom table, click Maintenance to manage the table engine type and table index. The table engine types for custom tables/entitlements (InnoDB and MyISAM) will appear for all predefined custom databases as the data stored on the Guardium internal database is MYSQL-based. The two major types of table storage engines for MySQL databases are InnoDB and MyISAM. Major differences between these MYSQL table engine types:
  • InnoDB is more complex while MyISAM is simpler.
  • InnoDB is more strict in data integrity while MyISAM is looser.
  • InnoDB implements row-level lock for inserting and updating while MyISAM implements table-level lock.
  • InnoDB has transactions while MyISAM does not.
  • InnoDB has foreign keys and relationship constraints while MyISAM does not.
Note:
  • Changing the engine type is disallowed (and the selection grayed out) if the row number in the table is greater than 1M.
  • The Length for Text Columns field does not apply to and is not saved for integer-only columns.

The other selection in the Maintain Custom Table menu is Manage Table Index. Click Insert to open Table Index Definition. The pop-up screen suggests columns in the table to add to indexes based on columns used on custom domains as Join conditions. Select the columns and save. Indexes will be created (or re-created).

To maintain performance, MySQL allows a maximum length for indexes:
  • MyISAM : 1000 bytes = 333 characters
  • InnoDB: 3072 bytes = 1024 characters
The utf8mb3 character set uses 3 bytes per character. If columns with more characters than the limit are required, use a subset of the column length.
For example, instead of :
create index a1 on CUSTOM.aaa (id,`System`(255),aaa(255),qqq(255));
Use:
create index a1 on CUSTOM.aaa (id,`System`(100),aaa(100),qqq(100));

Scheduling custom data uploads

Once a custom table definition is in place, data can be uploaded to custom tables on the Guardium appliance on a scheduled basis.

Note: New installations do not automatically start Enterprise reports. There is one upload schedule for each custom table. The total amount of disk space reserved on the Guardium appliance for custom tables is 4GB.
  1. Open the Custom Table Builder.
  2. Choose a custom table by clicking on the entity label and highlighting it.
  3. Click Upload Data to open the Import Data panel.
  4. Mark the Use Default Schedule check box to upload this table using the default schedule. Otherwise, this custom table uses its own upload data schedule.
  5. Click Modify Schedule to open the standard Schedule Definition panel and modify the schedule.
  6. Click Done when you are finished.
The Enterprise reports custom upload are like other jobs. There are two ways to enable them:
  • In the Custom Table Upload GUI. (requires license for custom upload)
  • Use GuardAPI from the CLI:
    grdapi add_schedule jobName=CustomTablePurgeJob_CM_SNIFFER_BUFFER_USAGE obGroup=customTableJobGroup Enterprise S-TAPs Changed: grdapi add_schedule jobName=customTableDataUpload_106 jobGroup=customTableJobGroup CM Buffer Usage Monitor: grdapi add_schedule jobName=customTableDataUpload_104 jobGroup=customTableJobGroup S-TAP Info: grdapi add_schedule jobName=customTableDataUpload_80 jobGroup=customTableJobGroup
Attention: When scheduling custom table jobs, the Start Time defines the time at which the schedule begins each day. For example, setting Start Time to 4 p.m. means the schedule will run from 4 PM until midnight each day. To create schedules that run continuously throughout the day, set Start Time to 12 a.m. (Midnight).

Creating a custom domain

After defining one or more custom tables, define a custom domain so that you can perform query and reporting tasks using the custom data. The information collected is organized into domains, each of which contains a different type of information relating to a specific area of concern: data access, exceptions, policy violations, etc. There is a separate query builder tool for each domain. Custom domains allow for user-defined domains and can define any tables of data uploaded to the Guardium appliance. See Custom Domains. The usage for these custom entitlement (privileges) domains are for entitlement reports which are found if logged in as a user. To see these reports, go to the user tab, DB Entitlements.

Note: DB Entitlements Domains are optional components enabled by product key. If these components have not been enabled, the choices listed in the Custom Domains help topic will not appear in the Custom Domain Builder selection.
  1. Open the Custom Domain Builder by navigating to one of the following:
    • Comply > Custom Reporting > Custom Domain Builder
    • Reports > Report Configuration Tools > Custom Domain Builder
    • Comply > Custom Reporting > Custom Domain Builder
  2. Click Domains to open the Domain Finder panel.
  3. Click New to open the Custom Tables Domain panel.
  4. Enter a Domain Name. Typically, you will be including a single custom table in the domain, so you may want to use the same name for the domain.
  5. The Available Entities box lists all custom tables that have been defined (and to which you have access). Select an entity. Optionally, click the (Filter) tool to open the Entity Filter and enter a Like value to select only the entities you want listed, and click Accept. This closes the filter window and returns you to the Custom Tables Domain panel, with only those entities matching the Like value listed in the Available Entities box. Select the entity you want to include.
  6. Click the >> arrow button to move the entity selected in the Available Entities list to the Domain Entities list.
  7. To add an entity to a domain that already has one or more tables, follow these steps. You will need to use the Join Condition to define the relationship between the entities. For each additional entity:
    Note: When data level security is on, internal entities added to the custom domain cannot belong to different domains with filtering policies.
    1. From the Domain Entities box, select an entity. All of the attributes of that entity will become available in the field drop-down list of the Domain Entities box. Select the attribute from that list that will be used in the join operation.
    2. From the Available Entities list, select the entity you want to add. All of the attributes of that entity will become available in the field dropdown list of the Available Entities box. Select the attribute from that list that will be used in the join operation.
    3. Select = (the equality operator) if you want the join condition to be equal (e.g., domainA.attributeB = domainC.attributeD). Select outer join if you want the join condition to be an outer join using the selected attributes.
      Note: Known limitation: After an entity is added, the Detail window in the GUI always displays it as an inner join. However, the correct join condition is saved in the table.
    4. Click Add Field Pair. Add Field Pair can be used to add more attributes pairs of these two entities to the join condition.
    5. Repeat the steps for any additional join operations.
  8. Select the Timestamp attribute for the custom domain entity.
    Note: At least one entity with a timestamp must be used, since a timestamp is required to save a custom domain.
  9. Click Apply.

Modifying a custom domain

The goal is to create a linkage between external data and the internal data.  

  1. Open the Custom Domain Builder.
  2. Choose the Custom Domain that you wish to clone.
  3. Click Modify to open the Custom Tables Domain panel.
  4. See Open Custom Domain Builder and Linking External Data to Internal Data for assistance.
  5. Click Apply to save the changes.

Removing a custom domain

  1. Open the Custom Domain Builder.
  2. Choose the Custom Domain that you wish to clone.
  3. Click Domains to open the Domain Finder panel.
  4. Click Delete to remove the custom domain.

Cloning a custom domain

  1. Open the Custom Domain Builder.
  2. Choose the Custom Table that is in the domain you wish to clone.
  3. Click Domains to open the Domain Finder panel.
  4. Click Clone to open the Custom Tables Domain panel.
  5. Change the Domain Name to reflect the new domain.
  6. See Open Custom Domain Builder and Linking External Data to Internal Data for assistance.
  7. Click Apply to save the changes.

Linking external data to internal data

The goal is to create a linkage between external data and the internal data.  

  1. Open the Custom Domain Builder.
  2. Choose the Custom Table that has your external data.
  3. Click Domains to open the Domain Finder panel.
  4. Click Modify to open the Custom Tables Domain panel.
  5. Click the Filter icon next to the Available Entities.
  6. Un-check the Custom box for the filter and optionally fill in a Like condition to filter entity names and click Accept.
  7. Select an entity from the Available Entities that you would like to link with your external data.
  8. Select the field that will be used to join data with your external data.
  9. Highlight the table from the Domain Entities that contains your external data
  10. Select the field that will be used to join data with the internal data.
  11. Click the Add Field Pair to add the relationship.
  12. Click the double arrow >> to add the internal table to the Domain Entities list.
  13. Click Apply to save the changes.

Working with custom queries

This section describes how to open the Custom Query-Report Builder. For more information about defining a query, see Using the Query-Report Builder. Use the Custom Query Builder to build queries against data from custom domains, which contain one or more custom tables.

  1. From the Custom Query Builder, select a custom domain from the list. The list of queries/reports under this domain opens.
  2. To view, modify or clone an existing query, select it from the Query Name list.

Bidirectional interface to and from InfoSphere Discovery

Both IBM® Guardium and InfoSphere® Discovery can identify and classify sensitive data, such as social security numbers or credit card numbers.

A Guardium customer can use a bidirectional interface to transfer identified sensitive data information from one product to another. Those customers who have already invested the time in one InfoSphere product can transfer the information to the other InfoSphere product.
Note: In Guardium, the Classification process is an ongoing process that runs periodically. In InfoSphere Discovery, Classification is part of the Discovery process that usually runs once.

The data is transferred via CSV files.

The summary of Export/Import procedures is as follows:
  • Export from Guardium - Run the predefined report (Export Sensitive Data to Discovery) and export as CSV file.
  • Import to Guardium - Load to a custom table against CSV datasource; define default report against this datasource.

Follow these steps:

  • Export from Guardium
  • Export Classification Data from Guardium to InfoSphere Discovery
  1. As an admin user in the Guardium application, go to Tools > Report Building > Classifier Results Tracking > Select a Report > Export Sensitive Data to Discovery.
    Note: Add this report to the UI pane (it is not by default).
  2. Click the Customize icon on the Report Result screen and specify the search criteria to filter the classification results data to transfer to Discovery.
  3. Run the report and click Download All Records.
  4. Save as CSV and import this file to Discovery according to the InfoSphere Discovery instructions.

Import to Guardium

Import Classification Data from InfoSphere Discovery to IBM Guardium

  1. Export the classification data as CSV from InfoSphere Discovery based on InfoSphere Discovery instructions.
  2. Open the Custom Table Builder by navigating to either of the following:
    • Comply > Custom Reporting > Custom Table Builder
    • Reports > Report Configuration Tools > Custom Table Builder
  3. Select ClassificationDataImport and click Upload Data.
  4. In Upload Data screen, click Add Datasource, click New, define the CSV file imported from Discovery as new datasource (Database Type = Text).  
    Note: Alternatively you can load the data directly from Discovery database if you know how to access the Discovery database and Classification results data.
  5. After defining the CSV as Datasource, click Add in Datasource list screen.
  6. In Upload data screen click Verify Datasource and then Apply.
  7. Click Run Once Now to load the data from the CSV.
  8. Go to Report Builder, select the Classification Data Import report, Click Add to Pane to add it to your Portal and then navigate to the report.
  9. Access the Report, click Customize to set the From/To dates and execute the report.

The report result has the classification data imported from InfoSphere Discovery. Double-click to invoke APIs assigned to this report. The data imported from Discovery can be used for the following:

  • Add new Datasource based on the result set.
  • Add/Update Sensitive Data Group.
  • Add policy rules based on datasource and sensitive data details.
  • Add Privacy Set.

CSV interface signature

The following table provides examples of CSV interface signatures used in the bidirectional transfer between Guardium and InfoSphere Discovery.

Table 2. CSV Interface signature
Interface signature Example
Type Db2
Host 9.148.99.99
Port 50001
dbName (Schema name for Db2 or Oracle, db name for others) cis_schema
Datasource URL  
TableName MK_SCHED
ColumnName ID_PIN
ClassificationName SSN
RuleDescription Out-of-box algorithm of InfoSphere Discovery
HitRate 70% - not available for export in Guardium Vers. 8.2
ThresholdUsed 60% - not available for export in Guardium Vers. 8.2