Audit process task types
When you create an audit process with the Audit Process Builder, you need to select the database activity monitoring tasks to include in your audit process. Create the monitoring activities that you want to include before you start building the audit process.
Process task types
An audit process can contain any number of audit tasks. Select the type of task from the New task window.
- Report - Produces a report, which can be either custom or a Guardium® predefined report. The report type must be Tabular.
- Security assessment - The security database assessment scans the database infrastructure for vulnerabilities, and provides an evaluation of database and data security health, with both real-time and historical measurements. The report compares the current environment against preconfigured vulnerability tests based on known flaws and vulnerabilities. The tests are grouped by using common database security best practices (like STIG and CIG1), as well as incorporating custom tests. The application generates a Security Health Report Card, with weighted metrics (based on best practices) and recommends action plans to help strengthen database security.
- Entity audit trail - Produces a detailed report of activity that relates to a specific entity is produced (for example, a client IP address or a group of addresses).
- Privacy set - Produces a report that details access to a group of object-field pairs (a Social Security number and a date of birth, for example) during a specified time period.
- Discover sensitive data - Scans the existing database metadata and data, reporting on information that might be sensitive, such as Social Security numbers or credit card numbers.
- External feed - Exports data to an external specialized application for
further forensic analysis. Note: The External Data Feed is an optional component that is enabled by a product key. This feature displays only if it is enabled.
Defining a report task
Before you begin, you need a report. For more information about creating reports, see Using the Query-Report Builder.
- Select Report as the task type.
- Enter a name for this task and select an existing report (which can be either a Guardium pre-defined or a user-defined report.
- Select the format that you want for exporting: CSV, CEF, PDF, Write to Syslog, and Compress. For more information, see Exporting audit results.
- PDF options apply to both PDF attachments and PDF export files. If you select PDF, then you can
further select from:
- Report - The current results
- Diff - The differences between a new report and the previous report (only available if a previous report exists)
- Reports and Diff - Both the current and diff reports
Note: The maximum number of rows that can be compared at one time is 5000. If the number of result rows exceeds the maximum, an error message displays. - Enter all of the remaining information in the New task window. The
information varies depending on the report that you select. Note: When setting time periods, you can select Sync QUERY_FROM_DATE to the previous execution date to prevent missing or duplicate data in scheduled audit processes. If you select this option, be aware that:
- The audit process must run at least once before the setting takes effect.
- If an audit process has not run recently, consider disabling the setting to avoid an excessive amount of data in the report.
- Click OK.
Defining a security assessment task
Before you begin, you need a security assessment. For more information, see Creating an assessment.
- Select Security Assessment as the task type.
- Enter a name for this task and select an existing security assessment.
- Optionally, select whether to export the output in AXIS (Apache EXtensible Interaction System.
used by QRadar) or SCAP (Security Content Automation Protocol) format.
AXIS or SCAP saves the audit process results in XML format and transfers the file to the destination defined in Results Export. For more information, see Exporting (files) results.
- Select whether to create a PDF report that contains,
- Report - The current results
- Diff - The differences between a new report and the previous report (only available if a previous report exists)
- Report and Diff - Both the current and diff reports
- Click OK.
Defining an entity audit trail task
- Select Entity Audit Trail as the task type.
- Enter a name for this task and then select the type of entity to audit. Depending on the entity
that you select, supply the following information:
- Object - Enter an object name.
- Object Group - Select an object group from the list.
- Client IP - Enter a client IP address.
- Client Group IP - Select a client IP group.
- Server IP - Enter a server IP address.
- Application User Name - Enter an application user name.
- Select whether to export the audit trail as a CSV file, and optionally, supply a label. For more information, see Exporting output to CSV, CEF or PDF format.
- Select whether to compress the audit trail.
- In the Task Parameters section, supply runtime parameter values (Enter Period From and To are required).
- Click OK.
Defining a privacy set task
Before you begin, you need to create a privacy set. For more information, see Privacy sets.
- Select Privacy set as the task type.
- Enter a name for this task and then select a privacy set from the Privacy Set list.
- Select either Report by Access Details or Report by Application User to indicate how you want to sort and display the results.
- Select whether to export the privacy set as a CSV file, and optionally, supply a label. For more information, see Exporting output to CSV, CEF or PDF format.
- Select whether to compress the privacy set.
- Click OK.
Defining a discover sensitive data task
Before you begin, you need to create a sensitive data scenario. For more information, see Discover sensitive data.
- Select Discover sensitive data as the task type.
- Enter a name for this task and then select an existing sensitive data scenario from the Discover Sensitive Data list.
- Click OK.
External feed task
This type of task feeds data that is collected by Guardium to an external application, mapping the data to a format recognized by that application. External feed is an extra-cost feature, which is enabled by a patch.
If you use external feeds in a central manager environment, you must install the external feed patch on the central manager, and on all managed units on which the task runs. For more information, see Working with external feeds. For more information about how the data is mapped from Guardium to an external application, see the documentation for the purchased option.
- Select External Feed as the task type.
- Enter an name for this task and then enter the following options:
- Select a feed type from the Feed Type list
- Select an External Feed event
- Select a report from the Report list. Depending on the report selected, additional parameters display.
- Under Extract Lag, enter the number of hours by which the feed is to lag, or select Continuous to include data up to the time that the audit task runs.
- Select one or more datasources for the external feed. If needed, click the icon to create a new datasource.
- Click OK.
Using APIs to automate audit process runs
- From the Report task, select a report for which API for automatic execution displays, such as the Guardium Group Details, Job Dependencies, or Restored Data reports.
- From API for automatic execution select an API from the list.
- Click Event and Additional Columns. The Event, Sign-off & Additional Column window opens.
- Under Define Additional Columns, in the Column Name, type API_RESULT_TEXT.
- In the Type column, select Text.
- Click Add.
- Run the audit process and click View Results. The API_RESULT_TEXT column has the returned text, and the BY column has the name of the API ran, and the date and time when it was run.