Predefined reports, tags, and data points
Guardium® Insights offers several predefined reports that help you quickly and easily identify security risks, such as inappropriately exposed objects, users with excessive rights, and unauthorized administrative actions. These predefined reports can be copied and customized. They cannot be deleted or modified in any way. Examples of the many predefined reports include: Client IP activity summary, Full SQL, Exception details, and Sensitive object usage.
- Predefined reports
- Default report tags
- Report data points and columns
- Event data points
- Exception data points
- Full SQL data points
- Instance data points
- Object data points
- Policy violation data points
- Sentence data points
- Session data points
- Vulnerability assessment data points
- Classification data points
- Audit data points
- User notification data points
- Data mart data points
- Outlier data points
- New report data points
Predefined reports
| Name | Report ID | Description | Tag | Data points |
|---|---|---|---|---|
| Administrative command usage | 000000000000000000000702 | This report lists all instances of SQL verbs included in the Administrative Commands group. | Insider, Privileged-activity | Server IP, Server hostname, Client IP, Service name, Database name, DB user, Source application, Verb, Object name, Total count |
| Administrative object usage | 000000000000000000000703 | This report lists all instances of object names included in the Administrative Objects group. | Insider, Privileged-activity | Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, DB user, Source application, Object name |
| Administrative user login | 000000000000000000000701 | This report details login activity for those with administrator privileges. | Insider, Privileged-activity | Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, DB user, Source application, Session ID |
| Audit results log | 000000000000000000001301 | A log of all audit activity and results within Guardium Insights | Audit-activity, Internal | User ID, Report name, Entry type, Date updated (local time), Field updated, Comment, Schedule ID, Entry ID |
| Classification | 000000000000000000001101 | This report details incoming classification data. | Classification | Classification start, Data source IP, Data source name, Data source type, Port, Service name, Schema, Catalog, Table, Column, Description, Classification name, Classification rule, Category, Comprehensive |
| Client IP activity summary | 000000000000000000000901 | This report displays activity for each client IP address. | Activity | Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, DB user, Source application, Objects and verbs, Total count |
| Command execution | 000000000000000000000704 | This report provides details about the usage of SQL verbs in the DROP, GRANT, ALTER, REVOKE Commands group. | Insider, Privileged-activity | Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, DB user, Source application, Verb |
| Connection events | 000000000000000000001501 | Guardium Insights internal report for tracking all connection events. | Connection-events, Internal | Hostname, Event type, Message, Event source, Event timestamp (local time), Connection ID, Connection name, Database name |
| Connection profiling list | 000000000000000000000301 | This report details incoming database connections. | Connections | Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, DB user, Source application, Session ID |
| DML execution on administrative objects | 000000000000000000000705 | This report details the instances in which SQL verbs from the DML Commands group were used to reference object names in the Administration Objects group. | Insider, Privileged-activity | Server IP, Server hostname, Client IP, Service name, DB user, Source application, Verb, Object name |
| DML execution on sensitive objects | 000000000000000000000903 | This report details each SQL verb from the DML Commands group that references an object name in the Sensitive Objects group. | Activity | Server IP, Server hostname, Client IP, Service name, DB user, Source application, Verb, Object name |
| Data mart ingestion status | 000000000000000000001800 | The status of data mart files being ingested by Guardium Insights. | Data mart, Internal | Status entry creation time, Period start, Period end, Ingestion ID, Guardium appliance hostname, Data type, Export record count, Export status, Ingestion status, Total file count, Successful file count, Failure file count, Error |
| Exception details | 000000000000000000000904 | This report details exceptions logged. | Activity | Exception timestamp (local time), Server IP, Server hostname, Client IP, Service name, DB user, Source application, SQL that caused exception, Error cause, Exception additional info |
| Failed login attempts | 000000000000000000000707 | This report lists all failed login attempts. | Insider, Privileged-activity | DB user, Source address, Database protocol, Destination address, Exception ID |
| Full SQL | 000000000000000000000905 | This report shows the details for the full SQL statements that are run by DB users for a selected period of time. | Activity | DB user, Full SQL timestamp (local time), Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, Source application, SQL query |
| Number of connections per server | 000000000000000000000401 | This report shows the number of connections associated with each server. | Denial-of-Service | Server IP, Server hostname, Session ID |
| Outbound notification log | 000000000000000000001401 | Guardium Insights internal report for tracking all outbound notifications. | Notification, Internal | Status, , Integration, Origin, Destination, Title, Contents, Retry count, Date created (local time), Date delivered (local time) |
| Outlier details | Details of outliers per source | Outliers | Detailed outlier score, Detailed high volume outlier, Detailed vulnerable object outlier, Detailed new activity outlier, Detailed exception outlier, Total activity count, Server IP, Database type, Client hostname, Operating system user, Database user, Database, Object, Verb, Period start (local time), Timeframe | |
| Outlier summary | An hourly summary of outliers per source | Outliers | Anomaly score, High volume outlier, Vulnerable object outlier, New activity outlier, Diverse activity outlier, Exception outlier, Ongoing outlier, Server IP, Database, Database user, Privileged user, Period start (local time), Timeframe | |
| Policy violation | 000000000000000000000906 | This report shows every policy rule violation that is logged. | Activity | Policy violation timestamp (local time), DB user, Rule name, Server hostname, Server IP, Full SQL, Severity, Source application, Client IP, OS user |
| Scheduled jobs exceptions | 0000000000000000000001001 | This report displays exceptions for scheduled jobs. | Activity | Exception additional info, Exception ID |
| Sensitive object usage | 000000000000000000000907 | This report details all objects from the Sensitive Objects group that were referenced. | Activity | Object name, Server IP, Server hostname, Client IP, Service name, DB user, Source application |
| Sessions by client IP | 000000000000000000000908 | This report provides details about session data that is collected for each database user. | Activity | Client IP, Session ID |
| SQL errors | 000000000000000000000203 | This report lists SQL errors that were discovered. | Brute-force | Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, DB user, Source application, Exception additional info, Error cause, Exception ID |
| Vulnerability assessment | 0000000000000000000001201 | This report details incoming vulnerability assessment data. | Vulnerability | Data source name, Database type, DB name, DB version, DB patch, Full version info,Description, Host, Test, , Result description, Result text, Recommendation, Severity, Category, Execution date (local time), Assessment description, Service name, Port, Data source ID, Result details, Test ID, External reference, External group description |
To work with an individual predefined report, click it in the Reports page.
Default report tags
Guardium Insights provides these predefined report tags:
- Activity
- Audit-activity
- Brute-force
- Classification
- Connections
- Connection-events
- Data mart
- Denial-of-Service
- Guardium-monitoring
- Insider
- Insider-and-privileged-activity
- Internal
- Notification
- Outliers
- Privileged-activity
- Vulnerability
You can also create your own report tags when creating or working with a custom report.
Report data points and columns
Default Guardium Insights report data types include:
| Name | Description |
|---|---|
| ID | Event ID |
| Hostname | Database server hostname |
| Event type | Type for the connection event |
| Message | Message in the connection event |
| Event source | Source for the connection event |
| Connection ID | The ID of the connection associated with the event |
| Connection name | The name of the connection |
| Event timestamp (local time) | Date and time of last update (local time) |
| Name | Description |
|---|---|
| Exception type ID | Exception type code |
| Exception ID | Uniquely identifies the exception |
| User | Database user |
| Source address | Source address |
| Destination address | Server IP address. |
| Application user | Name of the user creating the policy rule violation |
| Exception additional info | Description of the database or S-TAP exception. S-TAP exceptions contain the IP address or DNS name of the database server. Database exceptions contain an error code from the database management system. |
| SQL that caused exception | SQL that caused exception |
| Error cause | Short text description of the error |
| Error code | Database error code |
| Exception timestamp | Date and time of the last update |
| Exception timestamp (local time) | Date and time of last update (local time) |
| Session ID | Uniquely identifies the session |
| Information link | Link to more information about the exception |
| Original time zone | The UTC offset provides a means of comparing the relative times of activities of collectors in different time zones |
| Exception count | Count |
| Source ID | Source ID |
| Collector ID | Uniquely identifies the session access |
| Name | Description |
|---|---|
| Full SQL ID | Unique identifier for the full SQL statement |
| Message type | Message type |
| Session ID | Uniquely identifies the session |
| Full SQL timestamp | Date and time of the last update |
| Full SQL timestamp (local time) | Date and time of the last update (local time) |
| Original time zone | The UTC offset provides a means of comparing the relative times of activities of collectors in different time zones |
| Instance ID | Unique identifier for the construct instance |
| Rule name | The description of the rule from its definition |
| SQL query | SQL string |
| Full SQL: Total records affected | Total number of records affected |
| Result of SQL query | Result of the SQL query |
| Status | SQL statement status |
| SQL query response time | The response time for the request in milliseconds |
| Acknowledge response time | Acknowledged response time in milliseconds |
| Collector ID | Uniquely identifies the session access |
| Name | Description |
|---|---|
| Message type | Message type |
| Instance ID | Unique identifier for the construct instance |
| Session ID | Uniquely identifies the session |
| Original time zone | Date and time of the last update (local time) |
| Period start | Access period start date and time |
| Period start (local time) | Access period start (local date and time). |
| Period end | Access period end date and time |
| Period end (local time) | Access period end (local date and time). |
| Application event ID | Unique identifier for the application event entity |
| Application user | Name of the user creating the policy rule violation |
| Application event type | Application event type |
| Application event value (string) | Application event value (string) |
| Application event value (number) | Application event value (number) |
| Application event date | Date and time when the event occurred |
| Application event date (local time) | Local date and time value, set by GuardAppEvent:Start (display format yyyy-mm-dd hh:mm:ss). |
| Construct ID | Uniquely identifies the SQL statement |
| Mask SQL query | Original SQL statement before any query rewrites are applied |
| Objects and verbs | Verbs are SQL actions such as SELECT, INSERT, UPDATE, and DELETE. Objects are database objects such as tables, views, and schemas. |
| Number of successful SQL queries | Number of successful SQL queries |
| Number of failed SQL queries | Number of failed SQL queries |
| DB user | Database user is the user that connected to the database, either locally or remotely |
| OS user | OS user |
| Source application | The application that originated the activity |
| Server IP | Server IP address |
| Client IP | Client IP address |
| Service name | Service name or alias used until the service is connected |
| Client hostname | Client hostname |
| Database type | Type of database, for example Db2, Oracle, or Sybase |
| Database name | Name of database for the session. Oracle databases may contain additional application-specific information. |
| Application event user | User name set by GuardAppEvent:Start, part of the Guardium Application
Events API |
| Server port | Server port number |
| Network protocol | Network protocol, for example TCP or UDP. For K-TAP on Oracle, this displays as either IPC or BEQ. |
| Instance: Total records affected | Total number of records affected |
| Server hostname | Server hostname |
| Access timestamp | Date and time of the last update |
| Access (local timestamp) | |
| Average time to execute SQL queries | Average time to execute SQL queries |
| Collector ID | Uniquely identifies the session access |
| Total count | The total number of SQL queries, both successful and failed |
| Name | Description |
|---|---|
| Object ID | Uniquely identifies the object |
| Object name | Name of the object |
| Message type | Message type |
| Sentence ID | The key of sentence entity |
| Construct ID | Uniquely identifies the SQL statement |
| Object timestamp | Date and time of the last update |
| Ingest timestamp | Date and time of the last update |
| Name | Description |
|---|---|
| Message type | Message type |
| Violation ID | Uniquely identifies the violation |
| Session ID | Uniquely identifies the session |
| Original time zone | The UTC offset provides a means of comparing the relative times of activities of collectors in different time zones |
| OS user | OS user |
| DB user | Database user is the user that connected to the database, either locally or remotely |
| Client IP | Client IP address |
| Client hostname | Client hostname |
| Source application | The application that originated the activity |
| Server IP | Server IP address |
| Database type | Type of database, for example Db2, Oracle, or Sybase |
| Service name | Service name or alias used until the service is connected |
| Construct ID | Uniquely identifies the SQL statement |
| Objects and verbs | Verbs are SQL actions such as SELECT, INSERT, UPDATE, and DELETE. Objects are database objects such as tables, views, and schemas. |
| Application user | Name of the user creating the policy rule violation |
| Access rule ID | Uniquely identifies the access policy rule |
| Rule name | The description of the rule from its definition |
| Full SQL | SQL string causing the policy rule violation |
| Occurrences | The total number of times a unique violation was observed |
| Category name | Policy rule category |
| Classification name | Classification of the policy rule as defined by the user |
| Severity | Policy rule severity |
| Policy description | Description of the policy |
| Policy violation timestamp | Date and time of the last update |
| Server hostname | Server hostname |
| Collector ID | Uniquely identifies the session access |
| Policy violation timestamp (local time) | Date and time of the last update (local time) |
| Name | Description |
|---|---|
| Message type | Message type |
| Sentence ID | The key of sentence entity |
| Construct ID | Uniquely identifies the SQL statement |
| Verb | SQL command |
| Depth | Depth of the command in the SQL parse tree |
| Parent sentence ID | The key of the parent sentence for a subquery |
| Sentence timestamp | Date and time of the last update |
| Ingest timestamp | Date and time of the last update |
| Name | Description |
|---|---|
| Message type | Message type |
| Session ID | Uniquely identifies the session |
| Database type | Type of database, for example Db2, Oracle, or Sybase |
| Server OS | Server operating system |
| Client OS | Client operating system |
| Server ID | Server ID |
| Client IP | Client IP address |
| Network protocol | Network protocol, for example TCP or UDP. For K-TAP on Oracle, this displays as either IPC or BEQ. |
| Database protocol | Protocol specific to the database server |
| Database protocol version | Protocol version for the database protocol |
| DB user | Database user is the user that connected to the database, either locally or remotely |
| OS user | OS user |
| Source application | The application that originated the activity |
| Client hostname | Client hostname |
| Server hostname | Server hostname |
| Service name | Service name or alias used until the service is connected |
| Database name | Name of database for the session. Oracle databases may contain additional application-specific information. |
| Client port | Client port number |
| Server port | Server port number |
| Source ID | Source ID |
| Original time zone | The UTC offset provides a means of comparing the relative times of activities of collectors in different time zones |
| Connection start | Date and time the session started |
| Connection start (local time) | Session start (local date and time). |
| Connection end | Date and time the session ended |
| Connection end (local time) | Session end (local date and time) |
| TTL | Time to live. The amount of time that data is allowed to live in the database |
| Inactive flag | -1: Closed by database session timeout, 0: Open (SQL package), 1: Closed by logout or disconnect, 2: Closed due to timeout on Guardium system (session reopens if traffic is regenerated in the same session), 3: Non-SQL packets |
| Session ignored | Indicates if any part of the session was ignored, starting at a specific time. |
| Ignore since | Timestamp when the session was first ignored |
| Ignore since (local time) | Start of session ignore (local timestamp) |
| UID chain | For a session reported by UNIX S-TAP in K-TAP mode, this shows the chain of operating system users when users 'su' with a different username. |
| Compressed UID chain | The chain of operating system users, starting from when a user switches to a different username. The values that appear here vary by operating system and platform. User IDs may be reported instead of usernames in the UID Chain. |
| Failover flag | Indicates if a session failover occurred |
| Failover timestamp | Date and time of session failover |
| Failover timestamp (local time) | Session failover occurred (local timestamp) |
| Login succeeded | Indicates if session login was successful |
| Sender IP | Sender's IP address |
| Inspection engine identifier | Inspection engine identifier |
| Access ID | A unique identifier for this client/server connection |
| Server IP | Server IP address |
| Server database type | Type of database, for example Db2, Oracle, or Sybase |
| Server IP/Server hostname | Server IP/Server hostname |
| Server/Database type | Server/Database type |
| Name | Description |
|---|---|
| Message type | Message type |
| Data source name | Full name of the data source |
| Database type | Type of database, for example Db2, Oracle, or Sybase |
| DB name | Database name |
| DB version | Database version level |
| DB patch | Database patch level |
| Full version info | Database version and patch |
| Description | Data source description |
| Host | Database host |
| Test | Test description |
| Result code | Code for the result description that can be used if the report data is exported |
| Result description | Either Pass or the reason for the test failure |
| Result text | Details of the test results |
| Recommendation | Actions to take to eliminate the vulnerability |
| Severity | Policy rule severity |
| Category | Policy rule category |
| Execution date | Date and time the vulnerability process started running |
| Execution date (local time) | Date and time the vulnerability process started running (local time) |
| Assessment description | Name of the assessment process |
| Service name | Service name or alias used until the service is connected |
| Port | Data source port |
| Data source ID | ID of the data source |
| Result details | Additional test result details |
| Test ID | Test case ID |
| External reference | Description of the external reference |
| External group description | Description of the external group |
| Server IP | Server IP address |
| Name | Description |
|---|---|
| Message type | Message type |
| Start date (local time) | Date and time the classification process started running (local time). |
| Data source IP | The data source server IP |
| Data source name | Full name of the data source |
| Data source type | Database type |
| Port | Data source port |
| Service name | Service name or alias used until the service is connected |
| Schema | Displays if the data source includes schema details. |
| Catalog | Displays if the data source includes catalog details. |
| Table | Table name in the data source |
| Column | Column name in the data source |
| Description | Data source description |
| Classification name | Classification of the policy rule as defined by the user |
| Classification rule | Classification rules use regular expressions, Luhn algorithms, and other criteria to define rules for matching content when applying a classification policy. |
| Comments | Comments are added by users to provide additional details. |
| Category | Categories are used to group policy violations for both reporting and incident management. |
| Comprehensive | Classification based on random sampling of data |
| Global ID | Uniquely identifies the session access |
| Classification start | Date and time the classification process started running |
| Classification start (local time) | Date and time the classification process started running (local time) |
| Name | Description |
|---|---|
| User ID | ID of the user that took an action on the audit |
| Report name | Report name for the audit |
| Data source IP | The data source server IP |
| Entry type | Audit or task type |
| Entry title | Audit or task entry |
| Date updated (local time) | Date and time of the last update |
| Field updated | Field updated while auditing |
| Comment | User comment |
| Schedule ID | ID for the scheduled job that includes scheduled tasks |
| Entry ID | ID for the audit or task associated with this audit event |
| Name | Description |
|---|---|
| Title | Notification title |
| Contents | Detailed contents for the notification |
| Retry count | Number of times the notification was resent |
| Date created (local time) | Date and time the notification was created |
| Date delivered (local time) | Date and time the notification was delivered |
| Status | Status for the notification |
| Integration | Integration service used by the notification |
| Origin | Incoming source for the notification |
| Destination | Where the notification will be sent |
| Name | Description |
|---|---|
| Ingestion ID | Unique ID generated per data mart per Guardium system |
| Guardium appliance hostname | Full hostname of the Guardium system sending the data mart |
| Data type | The type of data mart |
| Period start | The period start of the data belonging to that particular data mart bundle |
| Period end | The period end of the data belonging to that particular data mart bundle |
| Export record count | The total count of records exported from a Guardium system for a data mart |
| Export status | Status of the export process of data mart from a Guardium system |
| Ingestion status | Status of the ingestion of data inside Guardium Insights |
| Total file count | Total number of files inside a data mart |
| Successful file count | Total number of files successfully ingested for a data mart |
| Failure file count | Total number of files failed on ingestion for a data mart |
| Error | Error information for a data mart, if error information is available |
| Status entry creation time | The timestamp in UTC for when the entry gets created |
| Name | Description |
|---|---|
| Server IP | Server IP address |
| Database user | Database user is the user that connected to the database, either locally or remotely |
| Database | Name of database for the session. Oracle databases may contain additional application-specific information. |
| Anomaly score | Outlier anomaly score |
| Period start | Outliers identified based on activities for the hour starting at this time |
| Period start (local time) | Outliers identified based on activities for the hour starting at this time (local time) |
| New activity outlier | Unusual volume of new activities |
| Privileged user | Privileged user |
| High volume outlier | Exceptionally high volume of activities |
| Diverse activity outlier | Exceptionally high volume of different types of activities. For example, a larger range of activities than usual or activities performed at an unusual time. |
| Exception outlier | Unusually high volume of exceptions |
| Ongoing outlier | Anomaly continued for an ongoing period of time. These anomalies may have had a low score and did not result in an outlier on their own. |
| Database type | Type of database, for example Db2, Oracle, or Sybase |
| Timeframe | Outlier activity occurred during this timeframe. Timeframe can be workday, weekend, or off-hours |
| Vulnerable object outlier | Exceptionally high volume of activities on vulnerable objects |
| Application | The application that originated the activity |
| Total activity count | The total number of SQL commands that result in this outlier |
| Detailed outlier score | The outlier anomaly score applies only to high volume and vulnerable object outliers |
| Object | Name of the object |
| Verb | SQL command |
| Detailed exception outlier | These are the details of an outlier with a high volume of exceptions |
| Detailed new activity outlier | These are the details of an outlier with an unusual volume of new activities |
| Detailed high volume outlier | These are the details of an outlier with an exceptionally high volume of activities |
| Records affected | The number of records affected by the SQL commands that results in this outlier |
| Client IP | Client IP address |
| Client hostname | Client hostname |
| Operating system user | OS user |
| Detailed vulnerable object outlier | These are the details of an outlier with an exceptionally high volume of activities on vulnerable objects |
New report data points
| Category | Category ID | Available data points |
|---|---|---|
| Classification | 000000000000000000000006 | |
| DB activity | 000000000000000000000001 | |
| DB exception | 000000000000000000000003 | |
| Data mart ingestion status | 000000000000000000000018 | Table 14 |
| Full SQL | 000000000000000000000004 | |
| Outliers | 000000000000000000000010 | Table 15 |
| Policy violation | 000000000000000000000002 | |
| Vulnerability assessment | 000000000000000000000005 |