Predefined user reports

This section provides a short description of all predefined reports for users with default user access.

Note: If data level security at the observed data level is enabled (see Data level security filtering), then the audit process output is filtered so users see only the information about their databases.

Active Users Last Login

Last login recorded during the reporting period for each member of the Active Users group. All members of the group will be listed, even if there were no logins during the reporting period. This is unlike most other reports based on members of a group. In the “normal” case, if no activity is found for a member, that member is not listed.

Each row lists a DB User Name, Client IP, Server IP, Server Type, Source Program, last login time (the maximum value of the Session Start attribute), and the count of sessions for the row.

The Active Users group is empty at installation time. It must be populated by someone at your location. The query that this report is based upon, Active Users Last Logins, cannot be accessed from the Query-Report Builder.

Active Users with no Activity

Listing of members in the Active Users group who have had no activity during the reporting period. This report will be empty if all users have had activity during the reporting period.

The Active Users group is pre-defined, but empty at installation time. It must be populated by someone at your location. The query that this report is based upon, Active Users with no Activity, cannot be accessed from Query-Report Builder.

Activity By Client IP

For each Client IP address seen during the reporting period, a row counts the number of SQL Verbs, Object Names, and the total number of sessions.

Administrative Commands Usage

For each SQL Verb included in the Administrative Commands group that was seen during the reporting period, this report lists the SQL Verb, Depth, Object Name, and Client IP, and a count of objects referenced.

Administrative Objects Usage

For each Object Name included in the Administration Objects group that was seen during the reporting period, each row lists the Object Name, Client IP, Server IP, Service Name, Database Name, Source Program, DB User Name, and Count of Objects for that row.

Admin Users Login

For each DB User Name included in the Admin Users group, who had one or more sessions during the reporting period, each row lists the Client IP, DB User Name, Source Program, Session Start time, and Count of Sessions for that row.

ALTER Commands Execution

All ALTER commands issued. The report displays the client IP from which the DDL was requested, server IP address, service name, database user name, source program, database name, object name, and main SQL verb (a specific DDL command) for each combination of client IP/DDL command listed on that specific line.

For each SQL Verb from the ALTER Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

Archive Candidates

This report lists objects (database tables or stored procedures, for example) that have not been accessed for an extended period of time. You cannot access the query this report is based upon.

BACKUP Commands Execution

For each SQL Verb from the BACKUP Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

Classification Process Results

Lists classification process tasks.

Client IP Activity Summary

This report displays reporting period activity from a single Client IP address, which is specified as a run time parameter. Each row of the report displays the Client IP, Source Program, SQL Verb, Depth (of sentence within the SQL command), an Object Name, and a count of times that object was referenced for that row.

Commands List

This report lists all SQL Verbs seen during the reporting period. At the outermost level, commands are grouped by the Period Start time from the Access Period entity, which is usually one hour, on the hour. Your Guardium administrator can modify the access period length by changing the logging granularity, which is one hour by default. For each Access Period in the reporting period, each row lists the access Period Start time, a SQL Verb, Depth of the verb in the SQL statement, Parent (a pointer to the owning verb), and a count of occurrences for the row.

Cosmos Full SQL

For the Azure Cosmos database, the Diagnostics setting includes DataPlaneRequests and a QueryRuntimeStatistics log that you can stream to an event hub.

For DataPlaneRequests, data is mapped between Cosmos and Guardium as follows:
  • activityId maps to FULL SQL"."More Information"
  • clientIpAddress maps to Guardium "Client/Server"."Client IP"
  • database account is extracted from resourceId and maps to "Client/Server"."Server Host Name"
  • duration maps to "FULL SQL"."RESPONSE_TIME"
  • operationName, requestResourceId, requestResourceType, resourceTokenPermissionId, responseLength, and statusCode are concatenated and mapped to "FULL SQL"."Full Sql"
  • region is mapped to "Client/Server"."Server Description"
  • time is mapped to "FULL SQL"."Timestamp"
  • userAgent is mapped to "Client/Server"."Source Program"
For QueryRuntimeStatistics, data is mapped as follows:
  • database account is extracted from resourceId and maps to "Client/Server"."Server Host Name"
  • time maps to "FULL SQL"."Timestamp"
  • databasename, collectionname, and querytext are concatenated and maps to "FULL SQL"."Full Sql"
  • activityId and maps to "FULL SQL"."More Information"
When LOG_FULL_DETAILS action is selected, DataPlaneRequests and QueryRuntimeStatistics are saved as seperate "FULL SQL" records, and the Cosmos Full SQL report correlates QueryRuntimeStatistics "FULL SQL" records to corresponding DataPlaneRequests "FULL SQL" records with the same activityId and then concatenates them both as "FULL SQL"."Full Sql".
Domain Based on Query Main Entity
Access Cosmos Full SQL FULL SQL

CREATE Commands Execution

For each SQL Verb from the CREATE Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

Databases Discovered

For the reporting period, for each Discovered Port entity where the DB Type attribute value is NOT LIKE Unknown, this report lists the Probe Timestamp, Server IP, Sever Host Name, DB Type, Port, Port Type, and count of Discovered Ports for the row.

Domain Based on Query Main Entity
Auto-discovery Databases Discovered Discovered Port
Run-Time Parameter Operator Default Value
Period From >= NOW -1 DAY
Period To <= NOW

Database Servers

For each Server IP address accessed during the reporting period, a row of the report displays the Server Type, Database Name, Service Name, a count of source programs accessing that server, and the total number of sessions for that row.

Data Set z/OS Sensitive Object Activity

Displays all access to data sets in group z/OS Data Set Sensitive Objects.

Domain Based on Query Main Entity
Access DSz Sensitive Object Activity FULL SQL
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
pgm LIKE %
likeDSname LIKE %

Data Set z/OS Privileged User Activity

Displays all access by users in group z/OS Data Set Privileged Users.

Domain Based on Query Main Entity
Access DSz Privileged User Activity FULL SQL
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
pgm LIKE %
likeDSname LIKE %

Data Sources

This report appears on the default layout for both administrators and users. See Data Sources on the Predefined Reports - Common page.

Data Source Version History

This report appears on the default layout for both administrators and users. See Data Source Version History on the Predefined Reports - Common page.

DB Predefined Users Login

For each DB User Name included in the DB Predefined Users group, who had one or more sessions during the reporting period, each row lists the DB User Name, Client IP, Server IP, Source Program, Database Name, Service Name, and Count of Sessions for that row.

DBCC Commands Execution

For each SQL Verb from the DBCC Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, SQL statement, and Count of Objects referenced in the row.

Db2 z/OS Sensitive Object Activity

Displays all access to tables in group z/OS DB2 Sensitive Objects for Reports.

Domain Based on Query Main Entity
Access Db2z Sensitive Object Activity FULL SQL
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW

Db2 z/OS Privileged User Activity

Displays all access by users in group z/OS DB2 Privileged Users.

Domain Based on Query Main Entity
Access Db2z Privileged User Activity FULL SQL
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
FullSQLLike LIKE %
Db2Subsystem LIKE %
NetowrkProtocol LIKE %
DbUser LIKE %

DDL Commands

All DDL commands sent to the database. The report displays the client IP from which the DDL was requested, the main SQL verb (a specific DDL command), and the total objects accessed for that record.

For each SQL Verb from the DDL Commands group seen during the reporting period, this report displays the Client IP, Server IP, Server Type, SQL Verb, and Count of Commands referenced in the row.

DDL Distribution

This bar graph displays the distribution of commands seen from the DDL Commands group during the reporting period. For each command seen, a single bar represents the total number of objects affected.

DML Execution on Administrative Objects

For each SQL Verb from the DML Commands group that references an Object Name in the Administration Objects group, this report displays a row for the DB User Name, Client IP, Server IP, Server Type, Service Name, Database Name, SQL Verb, Object Name, and Count of Objects referenced in the row.

DML Execution on Sensitive Objects

For each SQL Verb from the DML Commands group that references an Object Name in the Sensitive Objects group, this report displays a row for each Access Period, Client IP, and Source Program, with a total count of objects referenced in that row. Although the report title contains the word Executions, there is no guarantee that all commands reported were actually executed.

DROP Commands Execution

For each SQL Verb from the DROP Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

DW Dormant Objects

Shows all the members of one group that are not members in a second group, with a focus on dormant tables. For example, this report shows objects that are in the all objects group, but have not been used in a Select.

DW Dormant Objects/Fields

Shows all the members of one group that are not members in a second group, with a focus on dormant tables and columns. In this instance, groups are a 2-tuple type (members that are a composite of a pair of value attributes). For example, this report shows objects that are in the all objects and fields group, but have not been used in a Select.

DW EXECUTE Object Access

Use this report to populate the group called DW EXECUTE Objects with a set of stored procedure names that being executed. Then use indirect mapping in Group Builder/Auto Generate Calling Prox to generate all the objects being used within these procedures.

DW SELECT Object Access

This report shows all object names that have been accessed through a SELECT statement.

DW SELECT Object-Field Access

This report shows all object and field names that have been accessed through a SELECT statement.

Exception Count

The total number of exceptions (Exception entities) logged during the reporting period.

Exceptions Distribution

Each wedge of the pie chart represents the proportion of exceptions for each Exception Description attribute value (from the Exception Type entity) that was logged during the reporting period.

As with any chart, you can drill down on the pie chart to display the tabular version of the query on which the chart is based. There are several exceptions reports that are accessible from this tabular report (or drill-downs from it) that are available here, but are not included on any menu.

Exceptions Monitor

A count of exceptions logged during the reporting period. One datapoint is created each time that you refresh the report on your portal.

Excessive Errors per period

Display #Errors/Period; E.g., more than N errors in 60min for the same Client IP address, Server IP address, Server Type, database user name.

Failed User Login Attempts

For each failed login attempt during the reporting period, lists the User Name, Source Address, Destination Address, and Database Protocol Type for the server the user was attempting to log into.

Flat LOG List

Lists flat log processing tasks.

Full SQL By Client IP

This report displays reporting period Full SQL attribute values that have been logged for a single Client IP, which is specified as a run time parameter. Each row of the report displays the Full SQL ID, Timestamp (of the Full SQL entity), Client IP, DB User Name, Session Start, Source Program, Full SQL, and a count of occurrences for the row.

Full SQL By DB User Name

This report displays reporting period Full SQL attribute values that have been logged for a single DB User Name, which is specified as a run time parameter. Each row of the report displays the Full SQL ID, Timestamp (of the Full SQL entity), Client IP, DB User Name, Session Start, Source Program, Full SQL, and a count of occurrences for the row.

GRANT Commands Execution

For each SQL Verb from the GRANT Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

Guardium Job Queue

Displays the Guardium Job Queue. For each job, lists the Process Run ID, Process Type, Status, Cls/Asmt Process Id, Report Result Id, Cls/Asmt Description, Audit Task Description, Queue Time, Start Time, End Time, and Data Sources.

Domain Based on Query Main Entity
internal - not available Guardium Job Queue not available
Run-Time Parameter Operator Default Value
Job Description LIKE %
Period From >= NOW -1 DAY
Period To <= NOW

Hourly Access Details

This report produces a highly detailed listing for each DB User Name seen in the reporting period, which is one hour by default for this report. Each row of the report lists a DB User Name, Client IP, Server IP, Period Start, Source Program, SQL (from the SQL entity), and a count of occurrences during the access period.

IMS Access (z/OS)

Use this to report to view details of access to the IMS (z/OS®).

Domain Based on Query Main Entity
Access IMS Access Client Server
Run-Time Parameter Operator Default Value
Period From >= NOW -2 HOUR
Period To <= NOW

IMS Object (z/OS)

Use this to report to view an object-level view of access to the IMS (z/OS).

Domain Based on Query Main Entity
Access IMS Object Object
Run-Time Parameter Operator Default Value
Period From >= NOW -2 HOUR
Period To <= NOW

IMS Event (z/OS)

Use this to report for a summary of the type of access (such as DLI), and the command and object mapping of IMS (z/OS) events.

Domain Based on Query Main Entity
Access IMS Event SQL
Run-Time Parameter Operator Default Value
Period From >= NOW -2 HOUR
Period To <= NOW

IMS Data Access Details (z/OS)

This report uses the Full SQL Entity as the main entity and provides full details of each access to the IMS (z/OS).

Domain Based on Query Main Entity
Access IMS Data Access Details Full SQL
Run-Time Parameter Operator Default Value
Period From >= NOW -2 HOUR
Period To <= NOW
Client IP LIKE  
DBUserName LIKE  
IMS Name LIKE  
ServerIP LIKE  

IMS z/OS - Privileged User Activity

Displays all access by users in group z/OS IMS Privileged Users for Reports.

Domain Based on Query Main Entity
Access IMSz Privileged User Activity FULL SQL
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
ServiceName LIKE %
IMSUserID LIKE %
FullSQL LIKE %

IMS z/OS - Sensitive Object Activity

Displays all access to segments in group z/OS IMS Sensitive Objects for Reports.

Domain Based on Query Main Entity
Access IMSz Sensitive Object Activity FULL SQL
Run-Time Parameter Operator Default Value
Period From >= NOW -3 HOUR
Period To <= NOW
ServiceName LIKE %
IMSUserID LIKE %
FullSQL LIKE %
IMSDBD LIKE %

KILL Commands Execution

For each SQL Verb from the KILL Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

Logged R/T Alerts

This report displays a bar representing the total number of alerts logged during the reporting period, for each type of real-time alert logged, based on the Access Rule Description attribute of the Policy Rule Violation entity.

Logged Threshold Alerts

This report displays a bar representing the total number of alerts logged during the reporting period, for each type of threshold alert logged, based on the Alert Description attribute of the Threshold Alert Details entity.

Long Running Queries

For the reporting period, this report lists the longest running queries, with the longest average execution time first. For each query, lists the Client IP, Server IP, SQL, Period Start (from the Access Period entity), Average Execution Time, and the count of occurrences for this row. You cannot access the query this report is based upon.

Number of Active Privacy Set Tasks

Number of active Guardium audit processes that contain one or more privacy set tasks. When central management is used, this report contains data on the Central Manager only, and is empty on all managed units (the standard message, No data found for requested query, displays). This report has non-standard run time parameters: there are no from and to date parameters, so all audit processes containing one or more privacy set tasks will be reported. You can clone the query that this report is based upon (Number of Active Privacy Set Processes), but you cannot clone or regenerate the default report. The cloned query will have all of the standard run-time parameters (including the from and to dates).

Number of Active Audit Processes

The number of active Guardium audit processes. When central management is used, this report contains data on the Central Manager only, and is empty on all managed units (the standard message, No data found for requested query, displays). This report has non-standard run time parameters: there are no from and to date parameters, so all active audit processes will be reported. You can clone the query that this report is based upon (Number of Active Processes), but you cannot clone or regenerate the default report. The cloned query will have all of the standard run-time parameters (including the from and to dates).

Number of db per type

Displays the number of servers and clients for each monitored database type (default time period is the current day).

Object Activity Summary

This report displays reporting period activity for a single Object Name, which is specified as a run time parameter. Each row of the report displays the Client IP, Source Program, SQL Verb, Depth (of sentence within the SQL command), an Object Name, and a count of times that object was referenced for that row.

Objects List

This report lists all objects seen during the reporting period. At the outermost level, objects are grouped by the Period Start time from the Access Period entity, which is usually one hour, on the hour. Your SQL Guard administrator can modify the access period length by changing the logging granularity, which is one hour by default. For each Access Period in the reporting period, each row lists the access Period Start time, an Object Name, and the count of occurrences for that row.

One User One IP

For each DB User Name for which session data was collected during the reporting period, each line of this report displays the count of Client IP addresses from which the user logged in, and a total number of sessions.

Outstanding Audit Process Reviews

For each Guardium user Login Name, this report lists the number and type of outstanding Guardium audit processes. An outstanding audit process has a Status attribute value (in the Task Results To-Do-List entity) other than Reviewed or Signed. This report has non-standard run time parameters: there are no from and to dates, which means that all outstanding task results will be reported. You can clone the query that this report is based upon (it has the same name), but you cannot clone or regenerate the default report. The cloned query will have all of the standard run-time parameters (including the from and to dates).

Policy Violation Count

For the reporting period, this report displays the number of policy violations logged.

Privileged Account Utilization

Show User, Verb, and the Count of Periods within which the Verb was performed by a User in the group Admin Users

Privileged User Access of Business Objects

Show User, Verb, Object where the User in Admin Users and the Verb was performed by the on an Object that is in a selected group of Business Objects

Policy Violations

For every policy rule violation logged during the reporting period, this report provides the Timestamp from the Policy Rule Violation entity, Access Rule Description, Client IP, Server IP, DB User Name, Full SQL String from the Policy Rule Violation entity, Severity Description, and a count of violations for that row. You cannot access the query that this report is based upon (Policy Violations List with Severity), but you can clone the report.

Request Rate

By default, displays the request rate for the last two hours. This graphical report is intended to display recent activity only. If you alter the From and To run-time parameters to include a longer timeframe, you may receive a message indicating that there is too much data. (Use a tabular report to display a larger time period.)

RESTORE Commands Execution

For each SQL Verb from the BACKUP Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

REVOKE Commands Execution

For each SQL Verb from the REVOKE Commands group seen during the reporting period, this report displays the Client IP, Server IP, Service Name, DB User Name, Source Program, Database Name, Object Name, SQL Verb, and Count of Objects referenced in the row.

Sensitive Objects Usage

For each object in the Sensitive Objects group, displays a row for each Client IP and Source Program that referenced the object during the reporting period, and a count of object references.

The Sensitive Objects group is empty at installation time. Someone at your company must populate the group with the appropriate set of members.

Sessions By Server Type

For each server type (DB2®, Informix®, etc.), a row of this report displays the total number of sessions that were open during the reporting period (by default, the last three hours).

Sessions List

This report lists all database sessions for the reporting period. For each session, the report displays the session (entity) Timestamp, the Session Start (timestamp), Server Type, Client IP, Server IP, Client Port, Server Port, Network Protocol, DB Protocol, DB Protocol Version, DB User Name username, Source Program, and Count of Sessions for that row (which should always be 1).

As with most reports, drill-down reports are available. There are a number of session reports that are accessible from this report, but are not included on any menu. This includes the following reports, with the run time parameters for those reports set by using values from the selected row of the report:

Report Run-time Parameters
Sessions by Client IP Server IP, Server Type
Sessions by Server IP Server Type
Sessions by Source Program Server Type, Sever IP
Sessions by User Server Type, Server IP
Sessions Details by Server Server Type, Server IP

SQL Errors

For each SQL error during the reporting period, displays the Client IP address, Server IP address, Server Type, database user name, database error text, and error occurrence total for that record.

Terminated Users Failed Login Attempts

Lists failed login attempts by database users who are members of the Terminated DB User group. This report will be empty if there were no failed login attempts by anyone in this group during the reporting period.

The Terminated DB Users group is pre-defined, but empty at installation time. It must be populated by someone at your location. The built-in query for this report cannot be accessed. The query that this report is based upon (Terminated Users Failed Login Attempts) cannot be accessed from any query builder.

Terminated Users Logins

Lists all logins by database users who are members of the Terminated DB User group. Each row lists a DB User Name, Client IP, Server IP, Server Type, Source Program, last login time (the maximum value of the Session Start attribute), and the count of sessions for the row.

The Terminated DB Users group is empty at installation time. It must be populated by someone at your location. The query that this report is based upon, Terminated Users Logins, cannot be accessed from the Query-Report Builder.

Throughput

This report produces a count of all Server IPs seen, and total accesses, during the reporting period. At the outermost level, accesses are grouped by the Period Start time from the Access Period entity, which is usually one hour, on the hour. Your Guardium® administrator can modify the access period length by changing the logging granularity, which is one hour by default. Each row lists the Period Start time, the count of Server IPs seen, and a total count of accesses for the row.

You can restrict the output of this report using the Server IP run time parameter, which by default is set to “%” to select all IP addresses.

Throughput (Graphical)

This report is a Distributed Label Line chart version of the tabular Throughput report, plotting the total number of accesses over the reporting period, one data point per Period Start time.

You can restrict the output of this report using the Server IP run time parameter, which by default is set to “%” to select all IP addresses.

Users inactive since

Show User and Last Session Start for all users having Access records and having max Session Start time earlier than 90 days ago. (an inactive user is missed if they never once logged in, or if all their old logins have been purged)

Violations/Incidents

See Incident Management.

View Installed Policy

In the Currently Installed Policy panel, this special report displays the information about the installed policy such as the policy name, the number of rules it contains, and its policy definition settings. You cannot access the query this report is based upon.