Criteria

Criteria supported by session-level policies and advanced session-level policies include:
  • Analyzed client IP address (ANALYZED_CLIENT_IP)

    Use this option when sessions are decrypted and the client IP address is not available.

    Restriction: Criteria ANALYZED_CLIENT_IP is the result of correlation encrypted and not encrypted sessions. This criteria is not always available.
  • Analyzed client net mask (ANALYZED_CLIENT_NET_MASK) (only supports = operator)

    Analyzed client net masks are possible additions to the IP address criteria. They represent the criterion IP address as a range of values.

  • Application user (APP_USER)
  • Authentication type (AUTH_TYPE)
    Use to differentiate by authentication methods. Allowed values:
    • WINDOWS
    • DATABASE
    • KERBEROS
    • ACTIVE_DIRECTORY
    • NO_AUTH
    • PLAIN
    • HTTP_BASIC
    • BEARER
    • FEDERATION
    • GSSAPI
    • SCRAMSHA1
    • SCRAMSHA256
    • OS
    • SAML
    • LDAP
    • COOKIE
  • Client host name (CLIENT_HOST_NAME)
  • Client IP address (CLIENT_IP)
  • Client net mask (CLIENT_NET_MASK) (only supports = and != operators)

    Client net mask is only available when using the client IP address parameter.

  • Client operating system (CLIENT_OS_NAME)
  • Command (COMMAND)

    Search from the beginning of the SQL and do not use parser output. For example, with the statement select sysdate from dual, select will be recognized as the command.

  • Client time zone (CTIMEZONE)

    Use to limit the rule to a specific time zone of the client.

  • Database name (DB_NAME)
  • Database protocol (DB_PROTOCOL)

    Use to differentiate databases by type and by the protocol version a database is using.

  • Database type (DB_TYPE)
  • Database user (DB_USER)
  • Error (ERROR)
    • LOGIN_FAILED

      Use to search for specific database errors. Can be used to check for LOGIN_FAILED.

    Note:
    • Error criteria will be set to true for any error except LOGIN_FAILED.
  • Incident (INCIDENT) (only supports = and != operators)
    This detects problems related to protocol-level security. Allowed values:
    • CREDENTIAL_STUFFING
    • PLAIN_PASSWORD

      Check if password is sent in plain text.

    • WEAK_PASSWORD

      Check if password uses weak encryption.

  • Network protocol (NET_PROTOCOL)
  • Operating system user (OS_USER)
  • Sender IP address (SENDER_IP)
  • Sender net mask (SENDER_NET_MASK) (only supports = and != operators)

    Sender net mask is only available when using the sender IP address parameter.

  • Server description (SERVER_DESC)

    Use for optional description of the database server.

  • Server host name (SERVER_HOST_NAME)
  • Server IP address (SERVER_IP)
  • Server net mask (SERVER_NET_MASK) (only supports = and != operators)

    Server net mask is only available when using the server IP address parameter.

  • Server operating system (SERVER_OS_NAME)
  • Server port (SERVER_PORT)

    Use server port to differentiate multiple instances of the same database type on a single host.

  • Service name (SERVICE_NAME)
  • Session (SESSION) (only supports = and != operators)
    Allowed values:
    • ADMIN

      Check for administrator privileges. Supported for Oracle, PostgreSQL, Vertica, GreenPlum, Aster, and DB2 (DAS).

    • ENCRYPTED
    • GET_USERNAME_PROBLEM

      Applies when the Oracle Analyzer has identified a database user name retrieval issue.

    • HIGH_TRUST

      Apply actions to all sessions marked with HIGH TRUST_LEVEL(GDM_SESSION).

    • LOCAL
    • LOW_TRUST

      Apply actions to all sessions marked with LOW TRUST_LEVEL(GDM_SESSION).

    • PE_ANOMALY

      Create rules when there is an exception identified by the probability engine.

    • SENSITIVE

      Identify if session matches an extrusion pattern. This criterion is supported for Windows S-TAP only.

      For Windows S-TAP only: When you use REDACT, and you specify a regular expression that is sent to the S-TAP, if some data is redacted by S-TAP, the SESSION parameter SENSITIVE is set to true.
    • TAP_DECRYPTED
  • Session start time range (SESSION_START) (only supports = and != operators)

    This executes rules within a specific time range, for example to avoid logging and processing data from known periods of database optimization or back-up. For more information and detailed examples, see Scheduling with SESSION_START examples.

  • Source application (SOURCE_PROGRAM)
  • Statement (STATEMENT)

    Use with wildcards to search the SQL statement.

    Statement length can be specified in the following format: $(<min integer>[-<max integer>][K])$[<string_literal>]. For example, $(92-92)$%SYS.DUAL% matches if the length of the statement is 92 bytes. $(32K)$ represents 32 KB. Groups of type object, command, and field can be assigned to statement criteria.

    Note: Session level policy's STATEMENT criteria is equivalent to the Data security policy's PATTERN criteria.
  • Tuple (TUPLES)
Note:
  • Check for empty criteria using either != '%' or = 'guardium://empty'.
  • Hex values can be matched using \hd<xx> in criteria, patterns, group members, or tuple elements. For example: \hdffOPERO matches <0xff>OPERO
  • Identify binary non-ASCII symbols using the following: DB_USER != 'GUARDIUM:://LATIN'

Guardium regex patterns

Some criteria support <guardium_regex>, which indicates a special regular expression that can include one of the following patterns:
  • GUARDIUM://CREDIT_CARD/MASTERCARD
  • GUARDIUM://CREDIT_CARD/VISA
  • GUARDIUM://CREDIT_CARD/AMEX
  • GUARDIUM://CREDIT_CARD/DINERS
  • GUARDIUM://CREDIT_CARD/DISCOVER
  • GUARDIUM://CREDIT_CARD/JCB
  • GUARDIUM://CREDIT_CARD/UNIONPAY
  • GUARDIUM://CREDIT_CARD[/[MASTERCARD][|VISA][|AMEX][|DINERS][|DISCOVER][|JCB][|UNIONPAY]
  • GUARDIUM://CREDIT_CARD – Combines all 7 types of credit cards.